diff options
Diffstat (limited to 'x86_64/fluff/gadgets')
| -rw-r--r-- | x86_64/fluff/gadgets | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/x86_64/fluff/gadgets b/x86_64/fluff/gadgets new file mode 100644 index 0000000..6c2f329 --- /dev/null +++ b/x86_64/fluff/gadgets @@ -0,0 +1,44 @@ +Memory bytes information +======================================================= +0x00000000004003c4 : 'f' +0x0000000000400239 : 'l' +0x00000000004003d6 : 'a' +0x00000000004003cf : 'g' +0x0000000000400000 : '.' +0x0000000000400192 : 't' +0x0000000000400246 : 'x' +0x0000000000400192 : 't' + +0x0000000000400610 : mov eax, 0 ; pop rbp ; ret + +400628: d7 xlat BYTE PTR ds:[rbx] #mov al, [rbx + al] requires rbx +*** +40062a: 5a pop rdx +40062b: 59 pop rcx +40062c: 48 81 c1 f2 3e 00 00 add rcx,0x3ef2 +400633: c4 e2 e8 f7 d9 bextr rbx,rcx,rdx + +#rdx is controller. +rdx bits 0-7: starting bit +rdx bits 8-15: length +*** +400639: aa stos BYTE PTR es:[rdi],al #moves al to rdi, then adds rdi + # requires rdi (check), al + + + +0000000000400510 : print_file@plt + + +0x00000000004006a3 : pop rdi ; ret + + +exploit: + +write to memory using al as letter + set al to zero + set rbx to memory location + rcx: (location - 0x3ef2) before bextr + rdx: 0x00 0x20 (from position zero, using 32 bits) + + |