| #!/usr/bin/python3 | |
| # Ported to Python from https://gist.github.com/wofeiwo/4f41381a388accbf91f8 | |
| # Only implements packet generation, not sending/receiving | |
| import base64 | |
| class FCGIClient: | |
| def __init__(self): | |
| self.VERSION_1 = 1; | |
| self.BEGIN_REQUEST = 1; | |
| self.ABORT_REQUEST = 2; | |
| self.END_REQUEST = 3; |
| from pwn import * | |
| context.arch = "amd64" # Change as applicable | |
| e = ELF("./format") # Binary name | |
| p = process(e.path) | |
| l = p.libc # Load libc, initialised with correct values | |
| rev = {value : key for (key, value) in l.sym.items()} | |
| # Flip sym:addr dict | |
| def exec_fmt(pl): | |
| p.sendline(pl) | |
| return p.clean() |
The challenge begins by installing a Python audit hook written in C:
static int auditor_hook(const char *event, PyObject *Py_UNUSED(args), void *Py_UNUSED(user_data))
{
if (!atomic_load(&auditor_may_exec) || atomic_flag_test_and_set(&auditor_did_exec) || strcmp(event, "exec"))
auditor_exit(EXIT_FAILURE);
return 0;| import binaryninja | |
| from binaryninja.architecture import Architecture | |
| from binaryninja.function import RegisterInfo, InstructionInfo, InstructionTextToken as ITT | |
| from binaryninja.enums import InstructionTextTokenType as ITTT, BranchType | |
| from binaryninja.log import log_error, log_info | |
| from binaryninja.lowlevelil import LowLevelILLabel | |
| import struct | |
| class DWARFArchitecture(Architecture): | |
| name = "DWARF" |
| #include "tee_client_api.h" | |
| #include "grade_ca.h" | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <fcntl.h> | |
| #include <unistd.h> | |
| #include <sys/sendfile.h> |