From 4c25bd918847e914875e900285008eb3865ca8b6 Mon Sep 17 00:00:00 2001
From: Brett Weiland <brett_weiland@bpcspace.com>
Date: Thu, 17 Dec 2020 19:39:54 -0600
Subject: 	new file:   x86_64/fluff/exploit.py 	new file:  
 x86_64/fluff/gadgets

---
 x86_64/fluff/gadgets | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 x86_64/fluff/gadgets

(limited to 'x86_64/fluff/gadgets')

diff --git a/x86_64/fluff/gadgets b/x86_64/fluff/gadgets
new file mode 100644
index 0000000..6c2f329
--- /dev/null
+++ b/x86_64/fluff/gadgets
@@ -0,0 +1,44 @@
+Memory bytes information
+=======================================================
+0x00000000004003c4 : 'f'
+0x0000000000400239 : 'l'
+0x00000000004003d6 : 'a'
+0x00000000004003cf : 'g'
+0x0000000000400000 : '.'
+0x0000000000400192 : 't'
+0x0000000000400246 : 'x'
+0x0000000000400192 : 't'
+
+0x0000000000400610 : mov eax, 0 ; pop rbp ; ret
+
+400628: d7                    xlat   BYTE PTR ds:[rbx]          #mov al, [rbx + al] requires rbx
+***
+40062a: 5a                    pop    rdx
+40062b: 59                    pop    rcx
+40062c: 48 81 c1 f2 3e 00 00  add    rcx,0x3ef2
+400633: c4 e2 e8 f7 d9        bextr  rbx,rcx,rdx
+
+#rdx is controller.
+rdx bits 0-7: starting bit
+rdx bits 8-15: length
+***
+400639: aa                    stos   BYTE PTR es:[rdi],al       #moves al to rdi, then adds rdi
+                                                                # requires rdi (check), al
+
+
+
+0000000000400510 : print_file@plt
+
+
+0x00000000004006a3 : pop rdi ; ret
+
+
+exploit:
+
+write to memory using al as letter
+  set al to zero
+  set rbx to memory location
+    rcx: (location - 0x3ef2) before bextr
+    rdx: 0x00 0x20 (from position zero, using 32 bits)
+
+
-- 
cgit v1.2.3