This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| # NOTE: libc offset might be different, i'm using my local libc instead of | |
| # challenge libc | |
| context.terminal = "tmux splitw -h -f".split() | |
| p = process("./chall") | |
| def goto(n): | |
| p.sendlineafter("#>", str(n)) | |
| return |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.terminal = "tmux splitw -h -f".split() | |
| #p = process("./card") | |
| #libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False) | |
| #libc.off_leak = 3889536 | |
| #p = process("./card", env={"LD_PRELOAD":"./libc.so.6"}) | |
| p = remote("45.77.72.122", 9777) | |
| libc = ELF("./libc.so.6", checksec=False) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.terminal = "tmux splitw -h -f".split() | |
| #p = process("./card") | |
| #libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False) | |
| #libc.off_leak = 3889536 | |
| #p = process("./card", env={"LD_PRELOAD":"./libc.so.6"}) | |
| p = remote("45.77.72.122", 9777) | |
| libc = ELF("./libc.so.6", checksec=False) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import sys | |
| from math import floor, ceil | |
| from typing import AnyStr | |
| # craft gif: http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html | |
| ASCII_TO_INT: dict = {i.to_bytes(1, 'big'): i for i in range(256)} | |
| INT_TO_ASCII: dict = {i: b for b, i in ASCII_TO_INT.items()} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from random import randint | |
| proc_name = "./tcache_king" | |
| context.terminal = "tmux splitw -h -f".split() | |
| #p = process(proc_name, env={"LD_PRELOAD":"./libc6_2.31-0ubuntu9_amd64.so"}) | |
| p = remote("128.199.157.172", 20978) | |
| libc = ELF("./libc6_2.31-0ubuntu9_amd64.so") | |
| #p = process(proc_name) | |
| #libc = ELF("/opt/glibc2.31/lib/libc.so.6") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import random | |
| p = 0 | |
| while True: | |
| try: | |
| # p = process("./blindshot") | |
| p = remote("pwn01.chal.ctf.westerns.tokyo", 12463) | |
| libc = ELF("./libc-2.31.so", checksec=False) | |
| off = 0xb80 | |
| off = 0x8 | off << 4 |
d4em0n
/ gist:a7e34486f38cce8070751c1b43c97839
Created
October 3, 2020 04:54
psesudo opcode 0xa, 0xb, 0xc, 0xd, 0x10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| opcode: 0xa | |
| if al >= 0x20 | |
| int3() | |
| rdi = eax | |
| rsi = (rdi*8 + rdi)*8 | |
| rdx = *(0x10400+rsi) | |
| *(rdx+0x40) = 1 | |
| opcode: 0xb | |
| if al >= 0x20 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // gcc -static -o exploit2 exploit2.c -lpthread | |
| // NOTE: compiling using uclibc to get small sized binary | |
| #include <stdio.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <fcntl.h> | |
| #include <poll.h> | |
| #include <pthread.h> | |
| #include <unistd.h> | |
| #include <sys/ioctl.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <fcntl.h> | |
| #include <poll.h> | |
| #include <pthread.h> | |
| #include <unistd.h> | |
| #include <sys/ioctl.h> | |
| #include <sys/mman.h> | |
| #include <sys/syscall.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <err.h> | |
| #include <stdint.h> | |
| #include <linux/bpf.h> | |
| #include <linux/filter.h> | |
| #include <stdio.h> | |
| #include <unistd.h> | |
| #include <sys/syscall.h> | |
| #include <asm/unistd_64.h> | |
| #include <sys/types.h> |