-
Notifications
You must be signed in to change notification settings - Fork 1
/
pwntools
48 lines (36 loc) · 1.36 KB
/
pwntools
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# enable logs of data received and sent
context.log_level = "DEBUG"
# create a process
r = process("./baby_tcache")
# create a remote process
conn = remote(sys.argv[1], sys.argv[2])
# send input to process
r.sendline("1")
# read until a string
r.readuntil("Your choice: ")
# attach gdb and set breakpoint at that address
gdb.attach(r,'b* 0x0000555555554C6B')
# get an interactive session with gdb
r.interactive()
# crafting shellcode assembly
assembly = shellcraft.i386.linux.readfile("./flag", 1) + shellcraft.i386.linux.exit()
shellcode = pwnlib.shellcraft.i386.nop()*100 + pwnlib.shellcraft.i386.linux.sh()
# converting asm to hex
shellcode = asm(assembly, arch = 'i386', os = 'linux')
# getting a formatted p32 word
stack_address_leak = output.split("\n")[2].split(" ")[-2] # getting the string
stack_address_leak = int(stack_address_leak) # getting the integer associated
p32(stack_address_leak) # format according to the architecture in the context
# generating dummy elf given shellcode
In [2]: context.arch = 'amd64'
In [3]: e = ELF.from_bytes(open('./check4', 'rb').read())
[*] '/tmp/pwn-asm-4eWYc3/step3-elf'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x600000)
RWX: Has RWX segments
In [4]: e.save('stage4')
# conversions
u32(where_shellcode_is, sign="signed")