sudoaza/pwn_input.py

## pwn_input.py
from pwn import *

pname = './input'

# stage 1
argu = [ 'a' for i in range(100)]
argu[0] = pname
argu[65] = '\x00'
argu[66] = '\x20\x0a\x0d'
argu[67] = '64999'

# stage 2
stderr_r,stderr_w = os.pipe()
os.write(stderr_w,"\x00\x0a\x02\xff")

# stage 3
env = dict(os.environ, **{'\xde\xad\xbe\xef':'\xca\xfe\xba\xbe'})

# stage 4
f = open("\x0a",'wb')
f.write("\x00\x00\x00\x00")
f.close()

p = process(argu, stdin=PIPE, stderr=stderr_r, env=env)
p.stdin.write("\x00\x0a\x00\xff") # stage 2

#print p.recvline()
#print p.recvuntil(':',timeout=1)
#p.send(name)

#p.interactive()

#print p.recvuntil(':',timeout=1)

#p.send(pass1+"\n")
#print p.recvuntil(':',timeout=1)
#p.send(pass2+"\n")
print p.recvall(timeout=1)
print p.recvall(timeout=1)
	from pwn import *

	pname = './input'

	# stage 1
	argu = [ 'a' for i in range(100)]
	argu[0] = pname
	argu[65] = '\x00'
	argu[66] = '\x20\x0a\x0d'
	argu[67] = '64999'

	# stage 2
	stderr_r,stderr_w = os.pipe()
	os.write(stderr_w,"\x00\x0a\x02\xff")

	# stage 3
	env = dict(os.environ, **{'\xde\xad\xbe\xef':'\xca\xfe\xba\xbe'})

	# stage 4
	f = open("\x0a",'wb')
	f.write("\x00\x00\x00\x00")
	f.close()

	p = process(argu, stdin=PIPE, stderr=stderr_r, env=env)
	p.stdin.write("\x00\x0a\x00\xff") # stage 2

	#print p.recvline()
	#print p.recvuntil(':',timeout=1)
	#p.send(name)

	#p.interactive()

	#print p.recvuntil(':',timeout=1)

	#p.send(pass1+"\n")
	#print p.recvuntil(':',timeout=1)
	#p.send(pass2+"\n")
	print p.recvall(timeout=1)
	print p.recvall(timeout=1)