aaa_Temp.py

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from LibcSearcher import * # type: ignore
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='pwn.challenge.ctf.show'
port=28148
file_name='pwn'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_libc)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()

MyPwn.py

import subprocess

def ROPgadget(local_file):
    gadgets = ["pop rdi", "pop rsi", "pop rdx", "pop rax", "pop rbp", "ret", "leave"]

    for gadget in gadgets:
        print(f"Searching for: {gadget}")
        if gadget == "ret":

            result = subprocess.run(["ROPgadget", "--binary", local_file, "--only", "ret"], capture_output=True, text=True)

            for line in result.stdout.splitlines():
                if line.endswith("ret"):
                    print(line)
        else:

            result = subprocess.run(["ROPgadget", "--binary", local_file, "--only", "pop|ret|leave"], capture_output=True, text=True)
            for line in result.stdout.splitlines():
                if gadget in line:
                    print(line)
        print("----------------------------------------")