Tags: got formatstring ropchain pwn
Rating:
TLDR:
- dump the stack
- find pie leak and calculate pie base based on page bit masking
- dump `.rela.plt`, `.dynsym`, and `.dynstr` from the binary using %s arbitrary read
- manually construct GOT table
- find leaks for known addresses from GOT
- use libc database to obtain 2.31
- back to stack dump, find libc return address leak and calculate libc base
- use saved RBP for stack leak
- use all prior information and pwntools to write ROP chain at return address
- quit
- get shell :D
