from
pwn
import
*
from
os
import
system
import
sys
s
=
lambda
data :io.send(data)
sa
=
lambda
delim,data :io.sendafter(
str
(delim), data)
sl
=
lambda
data :io.sendline(data)
sla
=
lambda
delim,data :io.sendlineafter(
str
(delim), data)
r
=
lambda
num :io.recv(num)
ru
=
lambda
delims, drop
=
True
:io.recvuntil(delims, drop)
rl
=
lambda
:io.recvline()
itr
=
lambda
:io.interactive()
uu32
=
lambda
data :u32(data.ljust(
4
,b
'\x00'
))
uu64
=
lambda
data :u64(data.ljust(
8
,b
'\x00'
))
ls
=
lambda
data :log.success(data)
lss
=
lambda
s :log.success(
'\033[1;31;40m%s --> 0x%x \033[0m'
%
(s,
eval
(s)))
context.arch
=
'amd64'
context.log_level
=
'debug'
context.terminal
=
[
'tmux'
,
'splitw'
,
'-h'
,
'-l'
,
'190'
]
def
start(binary,argv
=
[],
*
a,
*
*
kw):
if
args.GDB:
return
gdb.debug([binary]
+
argv, gdbscript
=
gdbscript,
*
a,
*
*
kw)
elif
args.RE:
return
remote()
elif
args.AWD:
IP
=
str
(sys.argv[
1
])
PORT
=
int
(sys.argv[
2
])
return
remote(IP,PORT)
else
:
return
process([binary]
+
argv,
*
a,
*
*
kw)
io
=
process([
'/usr/sbin/apachectl'
,
'-X'
])
print
(io.pid)
sleep(
0.1
)
import
subprocess
gdbscript
=
command
=
[
"pgrep"
,
"-f"
,
"/usr/sbin/apache2"
]
result
=
subprocess.run(command, capture_output
=
True
, text
=
True
)
pids
=
int
(result.stdout.strip().split(
"\n"
)[
0
])
gdb.attach(pids,gdbscript)
pause()
system(
'cp exp.php /var/www/html/exp.php'
)
system(
'curl http://127.0.0.1/exp.php'
)
itr()