x86_64/fluff/gadgets


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

Memory bytes information
=======================================================
0x00000000004003c4 : 'f'
0x0000000000400239 : 'l'
0x00000000004003d6 : 'a'
0x00000000004003cf : 'g'
0x0000000000400000 : '.'
0x0000000000400192 : 't'
0x0000000000400246 : 'x'
0x0000000000400192 : 't'

0x0000000000400610 : mov eax, 0 ; pop rbp ; ret

400628: d7                    xlat   BYTE PTR ds:[rbx]          #mov al, [rbx + al] requires rbx
***
40062a: 5a                    pop    rdx
40062b: 59                    pop    rcx
40062c: 48 81 c1 f2 3e 00 00  add    rcx,0x3ef2
400633: c4 e2 e8 f7 d9        bextr  rbx,rcx,rdx

#rdx is controller.
rdx bits 0-7: starting bit
rdx bits 8-15: length
***
400639: aa                    stos   BYTE PTR es:[rdi],al       #moves al to rdi, then adds rdi
                                                                # requires rdi (check), al


0000000000400510 : print_file@plt


0x00000000004006a3 : pop rdi ; ret


exploit:

write to memory using al as letter
  set al to zero
  set rbx to memory location
    rcx: (location - 0x3ef2) before bextr
    rdx: 0x00 0x20 (from position zero, using 32 bits)