# This exploit template was generated via:
# $ pwn template --host pwnable.kr --port 9000
# Set up pwntools for the correct architecture
context.update(arch='i386')
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or 'pwnable.kr'
port = int(args.PORT or 9000)
def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
return process([exe] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
gdb.attach(io, gdbscript=gdbscript)
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
return start_local(argv, *a, **kw)
return start_remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
#===========================================================
#===========================================================
# The offset includes old ebp
# Overwrite return address
# Overwrite function argument