-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathq5.py
53 lines (38 loc) · 1.46 KB
/
q5.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import os
import sys
import base64
import addresses
from infosec.core import assemble
from search import GadgetSearch
PATH_TO_SUDO = './sudo'
LIBC_DUMP_PATH = './libc.bin'
def get_string(student_id):
return 'Take me (%s) to your leader!' % student_id
def get_arg() -> bytes:
"""
This function returns the (pre-encoded) `password` argument to be sent to
the `sudo` program.
This data should cause the program to execute our ROP-chain for printing our
message in a finite loop of 16 iterations. Make sure to return a `bytes` object
and not an `str` object.
NOTES:
1. Make sure your loop is executed exactly 16 times.
2. Don't write addresses of gadgets directly - use the search object to
find the address of the gadget dynamically.
3. Make sure to call exit() at the end of your loop (any error code will do).
WARNINGS:
0. Don't delete this function or change it's name/parameters - we are going
to test it directly in our tests, without running the main() function
below.
Returns:
The bytes of the password argument.
"""
search = GadgetSearch(LIBC_DUMP_PATH)
# TODO: IMPLEMENT THIS FUNCTION
raise NotImplementedError()
def main(argv):
# WARNING: DON'T EDIT THIS FUNCTION!
# NOTE: os.execl() accepts `bytes` as well as `str`, so we will use `bytes`.
os.execl(PATH_TO_SUDO, PATH_TO_SUDO, base64.b64encode(get_arg()))
if __name__ == '__main__':
main(sys.argv)