ManPD/Pwnable.kr input exploit code

## Pwnable.kr input exploit code
#include <stdio.h>
#include <stdlib.h>

int main(){
        //stage1 attack!

        char *argv[101] = {"/home/input/input", [1 ... 99] = "A", NULL};	//argv[0],argv[1],....,argv[100]
        argv['A'] = "\x00";
        argv['B'] = "\x20\x0a\x0d";
        argv['C'] = "33333";

        // stage3 attack!
        char* envp[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe"};

        // stage4
        FILE* fp = fopen("\x0a", "wb");
        fwrite("\x00\x00\x00\x00", 4, 1 ,fp);
        fclose(fp);

        // stage2
        int pipe1[2], pipe2[2];
        if(pipe(pipe1) < 0 || pipe(pipe2) < 0) {
                printf("pipe error!\n");
                exit(-1);
        }
        if(fork() == 0) {
                dup2(pipe1[0], 0);
                close(pipe1[1]);

                dup2(pipe2[0], 2);
                close(pipe2[1]);
                execve("/home/input/input", argv, envp);
        }else{
                write(pipe1[1], "\x00\x0a\x00\xff", 4);
                write(pipe2[1], "\x00\x0a\x02\xff", 4);
                sleep(30);
        }
}
	#include <stdio.h>
	#include <stdlib.h>

	int main(){
	//stage1 attack!

	char *argv[101] = {"/home/input/input", [1 ... 99] = "A", NULL}; //argv[0],argv[1],....,argv[100]
	argv['A'] = "\x00";
	argv['B'] = "\x20\x0a\x0d";
	argv['C'] = "33333";

	// stage3 attack!
	char* envp[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe"};

	// stage4
	FILE* fp = fopen("\x0a", "wb");
	fwrite("\x00\x00\x00\x00", 4, 1 ,fp);
	fclose(fp);

	// stage2
	int pipe1[2], pipe2[2];
	if(pipe(pipe1) < 0 \|\| pipe(pipe2) < 0) {
	printf("pipe error!\n");
	exit(-1);
	}
	if(fork() == 0) {
	dup2(pipe1[0], 0);
	close(pipe1[1]);

	dup2(pipe2[0], 2);
	close(pipe2[1]);
	execve("/home/input/input", argv, envp);
	}else{
	write(pipe1[1], "\x00\x0a\x00\xff", 4);
	write(pipe2[1], "\x00\x0a\x02\xff", 4);
	sleep(30);
	}
	}