forked from i0gan/awd_script
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpwn_exp_me.py
executable file
·82 lines (69 loc) · 1.91 KB
/
pwn_exp_me.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env python3
# A script for awd exp
from pwn import *
import os
import sys
ip = server_ip = sys.argv[1].split(':')[0]
port = int(sys.argv[1].split(':')[1])
io = remote(ip, port)
r = lambda x : io.recv(x)
ra = lambda : io.recvall()
rl = lambda : io.recvline(keepends = True)
ru = lambda x : io.recvuntil(x, drop = True)
s = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda x, y : io.sendafter(x, y)
sla = lambda x, y : io.sendlineafter(x, y)
ia = lambda : io.interactive()
c = lambda : io.close()
li = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
elf_path = './pwn'
LOCAL = 1
LIBC = 0
if(len(sys.argv) < 2):
LOCAL = 1
context.log_level='debug'
else:
context.log_level='critical'
server_ip = sys.argv[1].split(':')[0]
server_port = int(sys.argv[1].split(':')[1])
libc_path = './libc.so.6'
#--------------------------func-----------------------------
def db():
if(LOCAL):
gdb.attach(io)
def cat_flag():
flag_header = b'flag{'
sleep(1)
sl('cat flag')
ru(flag_header)
flag = flag_header + ru('}') + b'}'
write_to_flags(flag + b'\n')
write_to_logs(b'\nexploited: ' + server_ip.encode() + b':' + str(server_port).encode() + flag)
exit(0)
def write_to_flags(d):
fd = open('./flags', 'ab')
fd.write(d + b'\n')
fd.close()
#--------------------------exploit--------------------------
def exploit():
li('exploit...')
def finish():
ia()
c()
#--------------------------main-----------------------------
if __name__ == '__main__':
if LOCAL:
elf = ELF(elf_path)
if LIBC:
libc = ELF(libc_path)
io = elf.process(env = {"LD_PRELOAD" : libc_path})
else:
io = elf.process()
else:
elf = ELF(elf_path)
io = remote(server_ip, server_port)
if LIBC:
libc = ELF(libc_path)
exploit()
finish()