Christopher Roberts ChrisTheCoolHut

## solve_jump_planner.py
'''
special backdoor syscall gives flag.

Something going on with call/ret too.
No ropping?
rax = 0x5add011
rdi = ptr -> "please_give_me_flag"
rsi = 0x6942069420
'''
from pwn import *

## solve_well_ordered.py
def find_n(haystack, needle, n):
    st = haystack.find(needle)
    while st >= 0 and n >= 1:
        st = haystack.find(needle, st + 1)
        n -= 1
    return st


def mod_input(user_input, position, character):
    user_input = list(user_input)

## launch_code_solve.py
import angr, claripy
from pwn import *
file_name = "./launch_code"

# 1639874435
# Test nonce
nonce = 1639874435

def get_codes(nonce):

## CVE-2019-13087.py
import requests
import argparse

base_url = "http://{}/cgi-bin/internet.cgi"
data = {}

# python CVE-2019-13087.py 192.168.1.1 admin password 'sleep 10'
def main():
	parser = argparse.ArgumentParser()

## Verbal_syslog.c
#define _GNU_SOURCE
#include <stdarg.h>
#include <stdio.h>
#include <dlfcn.h>

//dockcross-linux-armv5 bash -c '$CC verbal_syslog.c -fPIC -shared -ldl -o Verbal_syslog_static.so'
void syslog(int priority, const char* format, ...)
{
	va_list args;
	va_start(args, format);

## Jared_angr_test.py
import angr
import claripy
import argparse

#angr logging is way too verbose
import logging
log_things = ["angr", "pyvex", "claripy", "cle"]
for log in log_things:
    logger = logging.getLogger(log)
    logger.disabled = True
	'''
	special backdoor syscall gives flag.

	Something going on with call/ret too.
	No ropping?
	rax = 0x5add011
	rdi = ptr -> "please_give_me_flag"
	rsi = 0x6942069420
	'''
	from pwn import *
	def find_n(haystack, needle, n):
	st = haystack.find(needle)
	while st >= 0 and n >= 1:
	st = haystack.find(needle, st + 1)
	n -= 1
	return st


	def mod_input(user_input, position, character):
	user_input = list(user_input)
	import angr, claripy
	from pwn import *
	file_name = "./launch_code"

	# 1639874435
	# Test nonce
	nonce = 1639874435

	def get_codes(nonce):
	import requests
	import argparse

	base_url = "http://{}/cgi-bin/internet.cgi"
	data = {}

	# python CVE-2019-13087.py 192.168.1.1 admin password 'sleep 10'
	def main():
	parser = argparse.ArgumentParser()
	#define _GNU_SOURCE
	#include <stdarg.h>
	#include <stdio.h>
	#include <dlfcn.h>

	//dockcross-linux-armv5 bash -c '$CC verbal_syslog.c -fPIC -shared -ldl -o Verbal_syslog_static.so'
	void syslog(int priority, const char* format, ...)
	{
	va_list args;
	va_start(args, format);
	import angr
	import claripy
	import argparse

	#angr logging is way too verbose
	import logging
	log_things = ["angr", "pyvex", "claripy", "cle"]
	for log in log_things:
	logger = logging.getLogger(log)
	logger.disabled = True