Zach Riggle zachriggle

## wat.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                zachriggle
                / wat.md
            
            
              Created
              November 29, 2014 05:19
            
          
    gdb-peda$ x/i $pc
=&gt; 0xf763d100 &lt;__libc_system&gt;:  push   ebx
gdb-peda$ telescope $sp 2
00:0000| esp 0x188340de --&gt; 0x8048c0d (add    esp,0x10)
01:0004|     0x188340e2 --&gt; 0x188340f2 ("/tmp/note||bash")
gdb-peda$ continue
...
Stopped reason: SIGSEGV
0xf763ce3c in do_system (line=0x188340f2 "/tmp/note||bash") at ../sysdeps/posix/system.c:153

  
## gdb-python2.7-ubuntu.sh
apt-get install python2.7-dev python2.7
apt-get build-dep gdb
apt-get source gdb
sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules
dpkg-buildpackage -uc -us -j8
dpkg-install ../*.deb

## gist:a363d271b29ab5943f64
>>> class A(object): pass
...
>>> a = A()
>>> a.__len__ = lambda: 3
>>> a.__len__()
3
>>> len(a)
Traceback (most recent call last):
...
TypeError: object of type 'A' has no len()

## patch.py
import argparse
import fileinput
import re
import binascii
import struct

unhex   = binascii.unhexlify
u32     = lambda x: struct.unpack('>L', x)[0]
hexa    = r'[0-9A-F]'
pattern = r'(%s{8}): (%s{2}) (%s{2})' % (hexa, hexa, hexa)

## gist:87ebeb71e3cffc4f15da
[  ]  anal: ldr code analysis
[OK]
[  ]  anal: endian
[OK]
[  ]  anal: af java multiple classes loaded via malloc and ib
[BR]

Command:  /usr/local/bin/radare2 -e scr.color=0 -N -q -i /tmp/r2-regressions//anal-rad.Snxmol  malloc://1023 > /tmp/r2-regressions//anal-out.pyjpEd 2> /tmp/r2-regressions//anal-err.xuWjRM
Script:
e asm.comments=false

## map
gdb-peda$ set disable-randomization off
gdb-peda$ break main
gdb-peda$ run
gdb-peda$ vmmap
0x00007fe6e01d7000 0x00007fe6e01d8000 r-xp  /home/user/a.out
0xffffffffff600000 0xffffffffff601000 r-xp  [vsyscall]
gdb-peda$ run
gdb-peda$ vmmap
0x00007f7acee88000 0x00007f7acee89000 r-xp  /home/user/a.out
0xffffffffff600000 0xffffffffff601000 r-xp  [vsyscall]

## gist:11301543
### Keybase proof

I hereby claim:

  * I am zachriggle on github.
  * I am zachriggle (https://keybase.io/zachriggle) on keybase.
  * I have a public key whose fingerprint is C5BE 5AF8 DD76 E311 630E  5E26 683A C112 1586 0611

To claim this, I am signing this object:

## RARVERSEME-README.txt
RARVM reversible/patchme

Modified 'unrar' source to dump context and disassembly.

Wrote two separate solvers since the challenge was broken.

To build the disassembler/debugger:

- unzip unrar-src-disassembler.zip -d unrar
- cd unrar

## parse.py
import scapy, struct, socket, binascii, logging
from scapy.all import *
from collections import defaultdict


#
# Entry
#
def USBIP(PacketData):
    if PacketData[:2] == '\x01\x11':

## gist:5659055
msf  auxiliary(mysql_schemadump) > run

[*] Schema stored in: /Users/zachriggle/.msf4/loot/20130527165753_default_192.168.1.79_mysql_schema_235782.txt
[+] MySQL Server Schema
 Host: 192.168.1.79
 Port: 3306
 ====================

---
- DBName: BadApple
	apt-get install python2.7-dev python2.7
	apt-get build-dep gdb
	apt-get source gdb
	sed -i -E "s\|python3\|/usr/bin/python2.7\|" debian/rules
	dpkg-buildpackage -uc -us -j8
	dpkg-install ../*.deb
	>>> class A(object): pass
	...
	>>> a = A()
	>>> a.__len__ = lambda: 3
	>>> a.__len__()
	3
	>>> len(a)
	Traceback (most recent call last):
	...
	TypeError: object of type 'A' has no len()
	import argparse
	import fileinput
	import re
	import binascii
	import struct

	unhex = binascii.unhexlify
	u32 = lambda x: struct.unpack('>L', x)[0]
	hexa = r'[0-9A-F]'
	pattern = r'(%s{8}): (%s{2}) (%s{2})' % (hexa, hexa, hexa)
	[ ] anal: ldr code analysis
	[OK]
	[ ] anal: endian
	[OK]
	[ ] anal: af java multiple classes loaded via malloc and ib
	[BR]

	Command: /usr/local/bin/radare2 -e scr.color=0 -N -q -i /tmp/r2-regressions//anal-rad.Snxmol malloc://1023 > /tmp/r2-regressions//anal-out.pyjpEd 2> /tmp/r2-regressions//anal-err.xuWjRM
	Script:
	e asm.comments=false
	gdb-peda$ set disable-randomization off
	gdb-peda$ break main
	gdb-peda$ run
	gdb-peda$ vmmap
	0x00007fe6e01d7000 0x00007fe6e01d8000 r-xp /home/user/a.out
	0xffffffffff600000 0xffffffffff601000 r-xp [vsyscall]
	gdb-peda$ run
	gdb-peda$ vmmap
	0x00007f7acee88000 0x00007f7acee89000 r-xp /home/user/a.out
	0xffffffffff600000 0xffffffffff601000 r-xp [vsyscall]
	### Keybase proof

	I hereby claim:

	* I am zachriggle on github.
	* I am zachriggle (https://keybase.io/zachriggle) on keybase.
	* I have a public key whose fingerprint is C5BE 5AF8 DD76 E311 630E 5E26 683A C112 1586 0611

	To claim this, I am signing this object:
	RARVM reversible/patchme

	Modified 'unrar' source to dump context and disassembly.

	Wrote two separate solvers since the challenge was broken.

	To build the disassembler/debugger:

	- unzip unrar-src-disassembler.zip -d unrar
	- cd unrar
	import scapy, struct, socket, binascii, logging
	from scapy.all import *
	from collections import defaultdict


	#
	# Entry
	#
	def USBIP(PacketData):
	if PacketData[:2] == '\x01\x11':
	msf auxiliary(mysql_schemadump) > run

	[*] Schema stored in: /Users/zachriggle/.msf4/loot/20130527165753_default_192.168.1.79_mysql_schema_235782.txt
	[+] MySQL Server Schema
	Host: 192.168.1.79
	Port: 3306
	====================

	---
	- DBName: BadApple