From 4c25bd918847e914875e900285008eb3865ca8b6 Mon Sep 17 00:00:00 2001 From: Brett Weiland Date: Thu, 17 Dec 2020 19:39:54 -0600 Subject: new file: x86_64/fluff/exploit.py new file: x86_64/fluff/gadgets --- x86_64/fluff/gadgets | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 x86_64/fluff/gadgets (limited to 'x86_64/fluff/gadgets') diff --git a/x86_64/fluff/gadgets b/x86_64/fluff/gadgets new file mode 100644 index 0000000..6c2f329 --- /dev/null +++ b/x86_64/fluff/gadgets @@ -0,0 +1,44 @@ +Memory bytes information +======================================================= +0x00000000004003c4 : 'f' +0x0000000000400239 : 'l' +0x00000000004003d6 : 'a' +0x00000000004003cf : 'g' +0x0000000000400000 : '.' +0x0000000000400192 : 't' +0x0000000000400246 : 'x' +0x0000000000400192 : 't' + +0x0000000000400610 : mov eax, 0 ; pop rbp ; ret + +400628: d7 xlat BYTE PTR ds:[rbx] #mov al, [rbx + al] requires rbx +*** +40062a: 5a pop rdx +40062b: 59 pop rcx +40062c: 48 81 c1 f2 3e 00 00 add rcx,0x3ef2 +400633: c4 e2 e8 f7 d9 bextr rbx,rcx,rdx + +#rdx is controller. +rdx bits 0-7: starting bit +rdx bits 8-15: length +*** +400639: aa stos BYTE PTR es:[rdi],al #moves al to rdi, then adds rdi + # requires rdi (check), al + + + +0000000000400510 : print_file@plt + + +0x00000000004006a3 : pop rdi ; ret + + +exploit: + +write to memory using al as letter + set al to zero + set rbx to memory location + rcx: (location - 0x3ef2) before bextr + rdx: 0x00 0x20 (from position zero, using 32 bits) + + -- cgit v1.2.3