-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
28 lines (24 loc) · 1.05 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
"""
Here we have a challenge with assembly source code. But assembly language is ARM.
You just need to understand the code and do the sum of three keys.
This exploit doesn't work actually 'cause on target machine they use a different shell and i dunno how to execute './leg'
But you can still read comments and understand the solution.
"""
from pwn import *
def exploit():
s = ssh(user='leg', host='pwnable.kr', password='guest', port=2222)
p = s.process(executable='./leg', shell=False)
# we can get the first key which is the address of next insructions.
key1 = 0x00008ce4
# In r6 we have pc + 0x1 at the beginning
# Then we jump with bx set to r6 which is the next instruction
# And then to r3 add 0x4 or to next instruction add 0x4
key2 = 0x00008d0c
# This address is just an address of next instruction after function will complete its execution (or ret address)
key3 = 0x00008d80
full_key = str(key1 + key2 + key3).encode()
print(p.recv())
p.sendline(full_key)
p.close()
if __name__=='__main__':
exploit()